Skill

Abnormal Security Messages

Analyzes Abnormal Security messages: email headers, attachments, sender reputation, delivery context, SPF/DKIM/DMARC authentication, and metadata for incident investigations.

security

Install

npx claudepluginhub wyre-technology/msp-claude-plugins --plugin abnormal-security

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Abnormal Security provides deep message analysis capabilities beyond basic threat detection. This skill covers message retrieval, header inspection, attachment analysis, sender authentication results, and delivery context. Use it when performing forensic analysis of specific emails or investigating delivery patterns.

SKILL.md

Similar Skills

agent-eval

Compares coding agents like Claude Code and Aider on custom YAML-defined codebase tasks using git worktrees, measuring pass rate, cost, time, and consistency.

everything-claude-code

157.7k

agent-harness-construction

Designs and optimizes AI agent action spaces, tool definitions, observation formats, error recovery, and context for higher task completion rates.

everything-claude-code

157.7k

accessibility

Designs, implements, and audits WCAG 2.2 AA accessible UIs for Web (ARIA/HTML5), iOS (SwiftUI traits), and Android (Compose semantics). Audits code for compliance gaps.

everything-claude-code

157.7k

Stats

Parent Repo Stars12

Parent Repo Forks8

Last CommitApr 5, 2026

Actions

View Source View Plugin View on GitHub View README

Abnormal Security Message Analysis

Overview

Message Field Reference

Core Message Fields

Field	Type	Description
`abxMessageId`	long	Abnormal internal message ID
`subject`	string	Email subject line
`fromAddress`	string	From header email address
`fromName`	string	From header display name
`toAddresses`	string[]	All To: recipients
`ccAddresses`	string[]	All CC: recipients
`bccAddresses`	string[]	All BCC: recipients (if available)
`sentTime`	datetime	When the email was sent
`receivedTime`	datetime	When the email was received by Abnormal
`internetMessageId`	string	RFC 5322 Message-ID header

Sender Analysis Fields

Field	Type	Description
`senderAddress`	string	Envelope sender address
`senderName`	string	Sender display name
`senderDomain`	string	Sender domain
`senderIpAddress`	string	Originating IP address
`returnPath`	string	Return-Path header (envelope sender)
`replyToEmails`	string[]	Reply-To header addresses

Authentication Fields

Field	Type	Description
`spfResult`	string	SPF check result: pass, fail, softfail, neutral, none
`dkimResult`	string	DKIM signature result: pass, fail, none
`dmarcResult`	string	DMARC policy result: pass, fail, none
`authenticationResults`	string	Full Authentication-Results header

Attachment Fields

Field	Type	Description
`attachmentCount`	int	Number of attachments
`attachmentNames`	string[]	Filenames of attachments
`attachmentTypes`	string[]	MIME types of attachments
`attachmentSizes`	int[]	Sizes of attachments in bytes

URL Fields

Field	Type	Description
`urls`	string[]	All URLs found in message body
`urlCount`	int	Total number of URLs

Delivery Context

Field	Type	Description
`isRead`	boolean	Whether the recipient has read the email
`isInternal`	boolean	Whether the email is internal (within org)
`isExternal`	boolean	Whether the email is from outside the org
`remediationStatus`	string	Current remediation status

MCP Tools

Tool	Description	Key Parameters
`abnormal_messages_get`	Get full message details	`threatId`, `abxMessageId`
`abnormal_messages_list`	List messages for a threat	`threatId`
`abnormal_messages_headers`	Get raw email headers	`threatId`, `abxMessageId`

Tool Usage Examples

Get message details:

{
  "tool": "abnormal_messages_get",
  "parameters": {
    "threatId": "184def76-3c28-4e1b-9ef0-a5abc123def4",
    "abxMessageId": 987654321
  }
}

List messages associated with a threat:

{
  "tool": "abnormal_messages_list",
  "parameters": {
    "threatId": "184def76-3c28-4e1b-9ef0-a5abc123def4"
  }
}

Message Analysis Workflows

Header Analysis Workflow

Retrieve message headers - Get raw headers for detailed inspection
Check authentication:
- SPF: Does the sending IP match the domain's SPF record?
- DKIM: Is the DKIM signature valid and aligned?
- DMARC: Does the message pass DMARC policy?
Trace routing:
- Follow Received headers from bottom to top
- Identify mail servers and relay hops
- Check for unusual routing or delays
Inspect key headers:
- From vs Return-Path mismatch (potential spoofing)
- Reply-To vs From mismatch (redirect replies)
- X-Mailer or User-Agent (sending client)
- Content-Type and encoding

Attachment Analysis Workflow

List attachments - Review filenames, types, and sizes
Check for suspicious patterns:
- Double extensions (e.g., invoice.pdf.exe)
- Macro-enabled Office files (.docm, .xlsm)
- Archive files (.zip, .rar, .7z) containing executables
- Unusual MIME types
Cross-reference with threat data:
- Check if the attachment hash matches known malware
- Review sandbox analysis results if available
Assess risk:
- Was the attachment opened by the recipient?
- How many users received the same attachment?

Sender Reputation Workflow

Check sender identity:
- Is this a first-time sender to this recipient?
- Does the display name match the email address?
- Is the domain recently registered?
Verify authentication:
- SPF, DKIM, DMARC all passing?
- Are there any authentication failures?
Check sender IP:
- Is the IP on any blocklists?
- Does it match the expected mail server for the domain?
Review communication history:
- Has this sender contacted the organization before?
- Is the communication pattern normal?

Authentication Results Reference

SPF Results

Result	Meaning	Risk
`pass`	Sending IP authorized by domain	Low
`softfail`	IP not authorized but not explicitly denied	Medium
`fail`	IP explicitly not authorized	High
`neutral`	No SPF assertion	Medium
`none`	No SPF record exists	Medium

DKIM Results

Result	Meaning	Risk
`pass`	Valid DKIM signature, aligned	Low
`fail`	DKIM signature invalid	High
`none`	No DKIM signature present	Medium

DMARC Results

Result	Meaning	Risk
`pass`	Passes DMARC policy (SPF or DKIM aligned)	Low
`fail`	Fails DMARC policy	High
`none`	No DMARC record exists	Medium

Error Handling

Common API Errors

Code	Message	Resolution
400	Invalid message ID	Verify abxMessageId is a valid long integer
401	Unauthorized	Check API token
404	Message not found	Message may have been purged or threat ID is wrong
429	Rate limited	Wait and retry

Best Practices

Always check authentication - SPF/DKIM/DMARC failures are strong spoofing indicators
Compare From and Return-Path - Mismatches often indicate spoofing or forwarding
Review Reply-To - Reply-To different from From is a common BEC indicator
Check attachment types carefully - Not all dangerous files have obvious extensions
Trace Received headers - Follow the email routing path for anomalies
Check if email was read - Read emails with credential phishing need password resets
Cross-reference with threats - Message context enriches threat investigations

Related Skills

Abnormal Threats - Threat detection and analysis
Abnormal Cases - Abuse mailbox case management
Abnormal API Patterns - API authentication and usage