From abnormal-security
Investigates Abnormal Security account takeover detections including impossible travel, suspicious sign-ins, mailbox rule changes, and lateral movement. Guides workflows and remediation for compromised accounts.
npx claudepluginhub wyre-technology/msp-claude-plugins --plugin abnormal-securityThis skill uses the workspace's default tool permissions.
Abnormal Security's Account Takeover Protection monitors sign-in activity and mailbox behavior to detect compromised internal accounts. By analyzing user behavior patterns, device fingerprints, sign-in locations, and mailbox rule changes, Abnormal identifies accounts that have been taken over by attackers. This skill covers ATO case management, investigation workflows, and remediation actions.
Compares coding agents like Claude Code and Aider on custom YAML-defined codebase tasks using git worktrees, measuring pass rate, cost, time, and consistency.
Designs and optimizes AI agent action spaces, tool definitions, observation formats, error recovery, and context for higher task completion rates.
Designs, implements, and audits WCAG 2.2 AA accessible UIs for Web (ARIA/HTML5), iOS (SwiftUI traits), and Android (Compose semantics). Audits code for compliance gaps.
Abnormal Security's Account Takeover Protection monitors sign-in activity and mailbox behavior to detect compromised internal accounts. By analyzing user behavior patterns, device fingerprints, sign-in locations, and mailbox rule changes, Abnormal identifies accounts that have been taken over by attackers. This skill covers ATO case management, investigation workflows, and remediation actions.
| Indicator | Description | Risk Level |
|---|---|---|
| Impossible Travel | Sign-ins from geographically distant locations in short time | High |
| Unusual Sign-in Location | Sign-in from a country or region not seen before | Medium |
| New Device | Sign-in from an unrecognized device or browser | Medium |
| Suspicious Mailbox Rules | Auto-forward, delete, or move rules targeting sensitive emails | Critical |
| Bulk Email Sending | Account sending mass emails to internal or external recipients | High |
| Password Change | Unexpected password or MFA changes | High |
| Lateral Phishing | Compromised account sending phishing to internal users | Critical |
| Data Exfiltration | Large file downloads or email forwarding to external addresses | Critical |
| Token Theft | Session token stolen and used from different location/device | High |
| Field | Type | Description |
|---|---|---|
caseId | string | Unique account takeover case ID |
affectedUser | string | Email address of the compromised account |
severity | string | Critical, High, Medium, Low |
detectedAt | datetime | When the takeover was first detected |
status | string | Open, Investigating, Remediated, Closed |
| Field | Type | Description |
|---|---|---|
signInEvents | object[] | List of suspicious sign-in events |
signInEvents[].timestamp | datetime | When the sign-in occurred |
signInEvents[].ipAddress | string | IP address of the sign-in |
signInEvents[].location | string | Geographic location (city, country) |
signInEvents[].device | string | Device or browser fingerprint |
signInEvents[].status | string | Success, Failed, MFA Challenged |
signInEvents[].riskLevel | string | Risk assessment of the sign-in |
| Field | Type | Description |
|---|---|---|
mailboxRules | object[] | Suspicious mailbox rules created |
mailboxRules[].type | string | Forward, Delete, Move |
mailboxRules[].target | string | External email or folder target |
mailboxRules[].createdAt | datetime | When the rule was created |
emailsSent | int | Number of emails sent during compromise |
emailsForwarded | int | Number of emails auto-forwarded |
| Tool | Description | Key Parameters |
|---|---|---|
abnormal_ato_cases_list | List account takeover cases | pageSize, pageNumber, filter, fromDate, toDate |
abnormal_ato_cases_get | Get ATO case details | caseId |
abnormal_ato_activity | Get sign-in and mailbox activity for a user | email, fromDate, toDate |
abnormal_ato_remediate | Take remediation action on an ATO case | caseId, action |
List open ATO cases:
{
"tool": "abnormal_ato_cases_list",
"parameters": {
"filter": "status eq 'Open'",
"pageSize": 25
}
}
Get ATO case details:
{
"tool": "abnormal_ato_cases_get",
"parameters": {
"caseId": "ato-abc123"
}
}
Get sign-in activity for a user:
{
"tool": "abnormal_ato_activity",
"parameters": {
"email": "user@company.com",
"fromDate": "2026-03-20T00:00:00Z",
"toDate": "2026-03-27T00:00:00Z"
}
}
| Action | Description | When to Use |
|---|---|---|
FORCE_PASSWORD_RESET | Reset the user's password | Confirmed account compromise |
REVOKE_SESSIONS | Terminate all active sessions | Active compromise with attacker logged in |
DISABLE_ACCOUNT | Temporarily disable the account | Severe compromise with ongoing activity |
REMOVE_RULES | Remove suspicious mailbox rules | Malicious forwarding/delete rules found |
| Factor | Medium | High | Critical |
|---|---|---|---|
| Indicator Type | New device, unusual location | Impossible travel, password change | Lateral phishing, data exfiltration |
| User Role | Standard user | Manager, finance | Executive, admin |
| Activity | Suspicious sign-in only | Mailbox rules created | Emails sent to internal users |
| MFA Status | MFA active, blocked | MFA bypassed | MFA disabled by attacker |
| Data Access | No sensitive access | Read sensitive emails | Forwarded sensitive data |
| Code | Message | Resolution |
|---|---|---|
| 400 | Invalid email format | Check email address format |
| 401 | Unauthorized | Check API token |
| 403 | Insufficient permissions | Token needs ATO scope |
| 404 | Case not found | Verify case ID |
| 429 | Rate limited | Wait and retry |