Security Engines - Anomalies

The Anomalies Engine detects behaviors or actions that seems abnormal when observed in the context of an organization and a user's historical activity. The engine analyzes the behavior using machine-learning algorithm that builds a profile based upon historical event information including login locations and times, data-transfer behavior, and email message patterns. Anomalies are often a sign that an account is compromised.

When anomalies are detected a security event is generated, providing the context and other needed information for investigation.

Anomalies List


Massive senders

Detection of users sending out emails at a rate that is unusual to their past behavior.

Logic: this anomaly is based on a baseline, generated during learning period during which we build a profile of the users. After a baseline is established the engine starts measuring emails send rate, and generate an alert when unusual high amount of emails are sent.

Event text:

<user> has sent an unusual number of emails - at a rate of <rate> emails per minute.

Reset Password

Detection of account takeover. 

Logic: generate an alert if a user has received 3 or more password reset emails (from different services) in a short span of time, alerting the admins that someone had attempted to recover the password for 3 different services.

Unusual Country

Detect emails from suspicious countries.

Logic: detect incoming emails from countries that are often associated with phishing attempts and various types of cyber attacks.
It is possible to use anomalies allow-list to ignore events from either of these two states.

Suspicious Geo Location

Detect possible credential theft and use from another location.

Logic: detect frequent login and emails events from different states and locations, alerting the admins to what is likely to be another person operating from an account of a company employees.
It is possible to create allow-list rule of accounts (for example, employees that use VPN or similar tools on a frequent basis).

Suspicious MFA login failure

Detect login operations that failed the Multi Factor Authentication (MFA)/Second Factor Authentication (2FA) stage.

Logic: check failed login operations, in which the user failed to validate using 2nd factor (provide the temporary code). To reduce the rate of false detection, the engine tries to correlate the failed MFA with additional events or follow-up success logins

Note that the detection is not generated in real time as it looks back and analyses past events. Alert may be generated a few hours after the failed login.

Event text:

A suspicious login failure for <email>, attempting to login from <geo location>, failing at the MFA stage

New auto-forwarding to external email address

Detect potential malicious configuration to divert email traffic outside of the organization.

Supports Office 365 only.

Logic: inspect new auto-forwarding rules created in Office 365, and check if the target email is ‘external' to the organization.

The severity of the anomaly is determined according to the ‘condition’ of forwarding: no condition - “high”, otherwise, “medium.

This anomaly is based on reading the Office 365 management events and processing the specific events that gets triggered when a mailbox auto-forwarding rule is created.

New delete-all-emails rule

Detect potential malicious configuration to delete all incoming emails. This behavior may indicate an account takeover.

Logic: inspect new rules configured to delete all incoming emails.

Severity: highest

Client is a vulnerable browser

Check the client browser vulnerability.

Logic: check which browser version is used by the end user performing the event (when reported by the SaaS), and compares it to a list of old versions (with known vulnerabilities).