How Does Compromised Accounts Detection Work?

José Ferreira By José Ferreira • August 8, 2017

Nowadays, user email accounts can be compromised in a number of ways. When malware infects a user account, that account can be used to spread spam and malware and also used to gather personal information to conduct a spear phishing or even order a wire transfer. That’s why it is important for users to take actions to protect their accounts, specifically those with higher levels of access and authorization, such as administrators.

AnubisNetworks is focused securing Email communications. Our newest release focuses on monitoring user activity beyond authentication, providing an additional security layer related to compromised accounts.

Compromised Account Detection Engine

We have introduced new functionality based on our authentication engine and the integrity of users sending Email. This new module specifically monitors the user’s authentication profile to find compromised accounts.

How does this work? When a user authenticates through Outlook, Thunderbird, the Apple Mail app, or other mail clients to send an email message we do a geospatial analysis based on the user location and take preemptive actions based on the suspicious activity. We use a safe defaults values, but we still allow the domain administrator to configure all the settings and configure exceptions.

Additionally, the administrator can be notified by email of that behavior and have included all the offending IP addresses, country and time stamp.

Combining Suspicious Senders with Quota Management

This feature complements email quota management, which allows the domain administrator to control the amount of emails a user can send per hour (or per day). This is a platform control-related feature, but also an email security feature, in the sense that it enables users to detect botnet senders: a user can send something like 200 emails a day whereas an infected system can send that amount in a couple of seconds.

And like the Compromised Accounts functionality, the email quota management is also able to notify administrators on threshold hits, even before the user starts to be blocked.

Why is this important?

Detecting email fraud is one of the most important inbound filtering aspects that a top-class Email Solution Gateway must have. Detecting spoofing, detecting look-alike domains, and checking for SPF and DKIM authentication are all part of a set that will ensure many phishing and spear phishing campaigns that will be caught on the filter. AnubisNetworks’ Mail Protection Service offers such abilities.

But there is another case, where email passes authentication mechanism and it is actually legitimate, from a sender’s perspective - except that the account has been compromised - and someone else (or a botnet) is accessing the account and using it to send emails. This is where the Compromised Account Detection Engine comes in, by looking at accounts authenticating to send emails and detecting strange geolocation patterns.

 Stay tuned for more great features coming soon!

Free Trial Mail Protection System