Abnormal Security VendorBase Vendor Risk Assessment
Overview
Abnormal Security's VendorBase provides AI-driven vendor risk assessment by analyzing email communication patterns between your organization and its vendors. It detects compromised vendor accounts, assesses vendor risk levels, and alerts on suspicious vendor behavior. This is critical for protecting against supply chain email attacks where a trusted vendor's account is taken over and used to send malicious emails.
Vendor Risk Levels
| Level | Score Range | Description | Action |
|---|
| Critical | 90-100 | Active compromise detected or high-confidence indicators | Immediate investigation, block vendor emails |
| High | 70-89 | Strong indicators of compromise or suspicious behavior | Priority investigation within 24 hours |
| Medium | 40-69 | Some risk factors present, warrants monitoring | Monitor, review within 1 week |
| Low | 0-39 | Normal vendor behavior, minimal risk | Routine monitoring |
Risk Factors
| Factor | Description | Weight |
|---|
| Authentication Failures | SPF/DKIM/DMARC failures from vendor domain | High |
| Sending Pattern Change | Vendor sending from new IPs or mail servers | High |
| Domain Age | Vendor domain recently registered or changed | Medium |
| Content Anomalies | Unusual email content compared to historical patterns | High |
| Financial Requests | Vendor requesting payment changes or wire transfers | Critical |
| Multiple Recipients | Vendor sending to unusual number of your users | Medium |
| New Contacts | Previously unseen sender addresses from vendor domain | Medium |
| Behavioral Anomaly | Communication patterns deviate from baseline | High |
Vendor Field Reference
Core Fields
| Field | Type | Description |
|---|
vendorDomain | string | Primary domain of the vendor |
vendorName | string | Display name / company name |
riskScore | int | Risk score 0-100 |
riskLevel | string | Critical, High, Medium, Low |
lastAssessed | datetime | When the risk was last calculated |
totalMessages | int | Total emails received from this vendor |
firstSeen | datetime | When the vendor first emailed your org |
Compromise Indicators
| Field | Type | Description |
|---|
isCompromised | boolean | Whether Abnormal has flagged the vendor as compromised |
compromiseDetectedAt | datetime | When compromise was detected |
compromiseIndicators | string[] | List of specific indicators |
affectedUsers | string[] | Your users targeted by compromised vendor |
Communication Profile
| Field | Type | Description |
|---|
typicalSenders | string[] | Known sender addresses from this vendor |
typicalSubjects | string[] | Common subject line patterns |
communicationFrequency | string | How often vendor emails your org |
lastEmailReceived | datetime | Most recent email from vendor |
primaryContacts | string[] | Your users who communicate most with vendor |
MCP Tools
| Tool | Description | Key Parameters |
|---|
abnormal_vendors_list | List vendors with risk scores | pageSize, pageNumber, filter |
abnormal_vendors_get | Get vendor risk details | vendorDomain |
abnormal_vendors_activity | Get recent vendor email activity | vendorDomain, fromDate, toDate |
abnormal_vendors_threats | Get threats from a specific vendor | vendorDomain |
Tool Usage Examples
List high-risk vendors:
{
"tool": "abnormal_vendors_list",
"parameters": {
"filter": "riskLevel eq 'High' or riskLevel eq 'Critical'",
"pageSize": 25
}
}
Get vendor risk details:
{
"tool": "abnormal_vendors_get",
"parameters": {
"vendorDomain": "example-vendor.com"
}
}
Get threats from a vendor:
{
"tool": "abnormal_vendors_threats",
"parameters": {
"vendorDomain": "example-vendor.com"
}
}
Vendor Investigation Workflows
Compromised Vendor Investigation
- Review compromise indicators:
- What triggered the detection?
- When was the compromise detected?
- Which of your users are affected?
- Analyze recent emails from vendor:
- Check for unusual content or requests
- Look for financial redirect requests
- Review authentication results (SPF/DKIM/DMARC)
- Assess blast radius:
- How many users received emails from the compromised vendor?
- Were any emails acted upon (links clicked, attachments opened)?
- Remediate:
- Quarantine suspicious emails from the vendor
- Block vendor domain temporarily if active compromise
- Notify affected users not to respond or act on recent vendor emails
- Vendor notification:
- Contact the vendor through a verified channel (not email)
- Inform them of the suspected compromise
- Request confirmation when they have secured their accounts
- Unblock:
- Once vendor confirms remediation, unblock and monitor
Vendor Risk Review Workflow
- List all vendors by risk score - Start with highest risk
- Review risk factors - Understand why each vendor is rated as it is
- Check for new vendors - First-time vendors warrant extra scrutiny
- Compare historical risk - Has risk score increased recently?
- Generate report - Summarize vendor risk posture for stakeholders
Payment Redirect Detection
- Filter vendor emails with financial keywords - "bank details changed", "new account", "updated payment"
- Cross-reference with vendor risk - Is the vendor flagged as compromised?
- Verify through side channel - Call the vendor to confirm payment changes
- Block if fraudulent - Quarantine and block sender if confirmed BEC
Error Handling
Common API Errors
| Code | Message | Resolution |
|---|
| 400 | Invalid vendor domain | Verify domain format |
| 401 | Unauthorized | Check API token |
| 404 | Vendor not found | Domain may not be in VendorBase yet |
| 429 | Rate limited | Wait and retry |
Best Practices
- Review critical vendors weekly - High-risk vendors need regular attention
- Act immediately on compromises - Compromised vendor emails are highly convincing
- Verify payment changes via phone - Never trust payment redirect requests via email
- Monitor new vendors closely - First-time vendors lack behavioral baseline
- Track risk score trends - Rising scores indicate emerging risk
- Correlate with threat data - Vendor risk and threat detections complement each other
- Document vendor communications - Maintain a log of verified vendor contacts
Related Skills
