Abnormal Security for Stopping BEC and Social Engineering
Abnormal Security by Abnormal Security · San Francisco, CA
AI-powered email security platform that stops advanced email attacks by understanding human behavior patterns.
In-Depth Review
Abnormal Security launched in 2018 with a focused thesis: the most damaging email attacks do not contain malware, malicious links, or any traditional indicators of compromise. Business email compromise, executive impersonation, and vendor fraud attacks succeed through social engineering alone, and no amount of URL scanning or attachment sandboxing can stop them. Abnormal’s behavioral AI approach was built specifically for this gap.
What Sets Abnormal Security Apart
Abnormal’s behavioral profiling engine is fundamentally different from traditional email security approaches. Rather than analyzing email content for known threat indicators, the platform builds a model of normal communication patterns for every employee and external contact: who they email, when, how they write, what they typically request, and from what devices and locations. When an email deviates from these patterns — a “CEO” urgently requesting a wire transfer from an unusual domain, or a vendor sending an invoice from a slightly different email address — Abnormal flags it as anomalous.
This approach is uniquely effective against payload-less attacks. A text-only email from a spoofed executive domain requesting a payroll change contains no malicious links, no attachments, and no indicators that traditional secure email gateways can detect. Abnormal catches these attacks because the behavioral pattern is anomalous, regardless of the email content.
The API-based deployment model is another significant advantage. By integrating directly with Microsoft 365 and Google Workspace APIs rather than sitting inline as a mail flow proxy, Abnormal deploys in minutes without requiring MX record changes, mail routing modifications, or any disruption to email delivery. This also enables capabilities that inline gateways cannot provide, such as detecting account takeover by monitoring mailbox rules, sign-in patterns, and internal email behavior.
Limitations to Understand
Abnormal is deliberately narrow in scope. It is an email security tool, not an endpoint protection, network detection, or SIEM platform. Organizations should view it as a specialized layer that sits above their existing email security stack (Microsoft Defender, Google Security, or third-party SEG), not as a replacement for broader security infrastructure.
The behavioral model requires a learning period of 14-30 days to establish baselines. During this period, detection accuracy is lower, and organizations may see both false positives and missed detections. The model also performs best in environments with consistent email communication patterns — highly seasonal businesses or organizations with frequent personnel changes may experience more variable detection quality.
The Bottom Line
Abnormal Security is the best-in-class solution for the specific problem of socially engineered email attacks. If BEC, executive impersonation, and vendor fraud are material risks for your organization — and for any company that moves money via email, they are — Abnormal provides detection capabilities that no other tool category can match. Deploy it as a layer above your existing email security, not as a replacement.
+ Strengths
- Addresses the number one financial loss vector in cybersecurity — BEC attacks cause more financial damage than ransomware
- API deployment means security teams can add the layer without any mail flow changes or downtime
- Behavioral detection catches payload-less attacks (text-only social engineering) that no other category of tool can reliably detect
− Limitations
- Narrow focus on email means it must be combined with EDR, NDR, and SIEM tools for comprehensive security coverage
- Behavioral model accuracy depends on consistent email volume — organizations with seasonal communication patterns may see variable detection quality
- Does not provide email encryption, data loss prevention, or archival capabilities that some compliance frameworks require
Key Use Cases
Deploying behavioral email security as a layer above Microsoft Defender or Google email protection
Detecting and blocking BEC attacks that bypass traditional secure email gateways using social engineering
Identifying compromised internal email accounts before they are used for lateral phishing campaigns
Automating the triage of user-reported phishing emails to eliminate manual SOC workload
Monitoring supply chain email communications for signs of vendor account compromise
> Verdict
Abnormal Security fills a critical gap that traditional email security tools leave wide open: socially engineered attacks that contain no malicious payload. For organizations where BEC, executive impersonation, and vendor fraud are top risks, Abnormal's behavioral AI delivers detection capabilities that no other approach can match. Layer it on top of Microsoft Defender or Google email protection; Abnormal catches what payload-based scanning misses, but does not replace gateway-level filtering or broader security infrastructure.
Pricing
Inbound Email Security
Contact Sales
- › BEC and phishing protection
- › Behavioral AI detection
- › VIP impersonation protection
- › Graymail management
- › Microsoft 365 / Google Workspace integration
Email Security + Account Takeover
Contact Sales
- › Everything in Inbound Email Security
- › Account takeover detection
- › Compromised account remediation
- › Sign-in activity monitoring
- › Multi-factor bypass detection
Email Security + Full Platform
Contact Sales
- › Everything in Email Security + Account Takeover
- › Supply chain fraud protection
- › Security posture management
- › Abuse mailbox automation
- › Multi-channel protection (Slack, Teams)
Integrations
Microsoft 365, Google Workspace, CrowdStrike, Splunk, Microsoft Sentinel, Okta, Slack, Microsoft Teams