Abnormal Security

What Abnormal Security actually does

Abnormal sits behind your existing email infrastructure (Microsoft 365 or Google Workspace) and catches the attacks your secure email gateway misses. Specifically: business email compromise, vendor impersonation, and social engineering.

It connects via API — no MX record changes, no mail flow disruption. It builds a behavioral model of your organization’s communication patterns and flags anomalies.

Who it’s best for

• Organizations with 100+ mailboxes that already have a SEG but still see BEC attacks getting through
• Finance and executive teams that are targeted by invoice fraud and impersonation
• Companies using Microsoft 365 or Google Workspace as their primary email platform
• Security teams tired of writing manual rules to catch evolving social engineering tactics

Pricing reality check

Abnormal is priced per mailbox and is not inexpensive. But the ROI calculation is straightforward: one prevented BEC attack typically pays for years of the subscription. Organizations have lost six figures to a single compromised invoice redirect.

The pricing gets more reasonable at scale. Below 100 mailboxes, the per-seat cost is harder to justify unless your organization handles high-value financial transactions.

Alternatives to consider

• Microsoft Defender for Office 365 — Included in some M365 plans. Improving but still rules-based for BEC detection.
• Proofpoint TAP — Strong SEG. Better at malware-laden email. Weaker on pure social engineering.
• Mimecast — Similar to Proofpoint. Good gateway, less behavioral analysis.

The Charting Cyber take

If your problem is BEC and social engineering — and your SEG keeps missing them — Abnormal is the answer. In environments where Proofpoint is already in place, the catch rate on impersonation attacks is immediately noticeable.

The API deployment model means you can run it in monitor-only mode first. No risk to mail flow. A 30-day evaluation period before committing is standard practice.