Skill

Abnormal Security Vendors

Analyzes Abnormal Security VendorBase for vendor risk scores, compromised detection, domain analysis, and supply chain email threats. For MSP analysts investigating third-party vendor risks.

security

Install

npx claudepluginhub wyre-technology/msp-claude-plugins --plugin abnormal-security

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Abnormal Security's VendorBase provides AI-driven vendor risk assessment by analyzing email communication patterns between your organization and its vendors. It detects compromised vendor accounts, assesses vendor risk levels, and alerts on suspicious vendor behavior. This is critical for protecting against supply chain email attacks where a trusted vendor's account is taken over and used to se...

SKILL.md

Similar Skills

agent-eval

Compares coding agents like Claude Code and Aider on custom YAML-defined codebase tasks using git worktrees, measuring pass rate, cost, time, and consistency.

everything-claude-code

157.7k

agent-harness-construction

Designs and optimizes AI agent action spaces, tool definitions, observation formats, error recovery, and context for higher task completion rates.

everything-claude-code

157.7k

accessibility

Designs, implements, and audits WCAG 2.2 AA accessible UIs for Web (ARIA/HTML5), iOS (SwiftUI traits), and Android (Compose semantics). Audits code for compliance gaps.

everything-claude-code

157.7k

Stats

Parent Repo Stars12

Parent Repo Forks8

Last CommitApr 5, 2026

Actions

View Source View Plugin View on GitHub View README

Abnormal Security VendorBase Vendor Risk Assessment

Overview

Vendor Risk Levels

Level	Score Range	Description	Action
Critical	90-100	Active compromise detected or high-confidence indicators	Immediate investigation, block vendor emails
High	70-89	Strong indicators of compromise or suspicious behavior	Priority investigation within 24 hours
Medium	40-69	Some risk factors present, warrants monitoring	Monitor, review within 1 week
Low	0-39	Normal vendor behavior, minimal risk	Routine monitoring

Risk Factors

Factor	Description	Weight
Authentication Failures	SPF/DKIM/DMARC failures from vendor domain	High
Sending Pattern Change	Vendor sending from new IPs or mail servers	High
Domain Age	Vendor domain recently registered or changed	Medium
Content Anomalies	Unusual email content compared to historical patterns	High
Financial Requests	Vendor requesting payment changes or wire transfers	Critical
Multiple Recipients	Vendor sending to unusual number of your users	Medium
New Contacts	Previously unseen sender addresses from vendor domain	Medium
Behavioral Anomaly	Communication patterns deviate from baseline	High

Vendor Field Reference

Core Fields

Field	Type	Description
`vendorDomain`	string	Primary domain of the vendor
`vendorName`	string	Display name / company name
`riskScore`	int	Risk score 0-100
`riskLevel`	string	Critical, High, Medium, Low
`lastAssessed`	datetime	When the risk was last calculated
`totalMessages`	int	Total emails received from this vendor
`firstSeen`	datetime	When the vendor first emailed your org

Compromise Indicators

Field	Type	Description
`isCompromised`	boolean	Whether Abnormal has flagged the vendor as compromised
`compromiseDetectedAt`	datetime	When compromise was detected
`compromiseIndicators`	string[]	List of specific indicators
`affectedUsers`	string[]	Your users targeted by compromised vendor

Communication Profile

Field	Type	Description
`typicalSenders`	string[]	Known sender addresses from this vendor
`typicalSubjects`	string[]	Common subject line patterns
`communicationFrequency`	string	How often vendor emails your org
`lastEmailReceived`	datetime	Most recent email from vendor
`primaryContacts`	string[]	Your users who communicate most with vendor

MCP Tools

Tool	Description	Key Parameters
`abnormal_vendors_list`	List vendors with risk scores	`pageSize`, `pageNumber`, `filter`
`abnormal_vendors_get`	Get vendor risk details	`vendorDomain`
`abnormal_vendors_activity`	Get recent vendor email activity	`vendorDomain`, `fromDate`, `toDate`
`abnormal_vendors_threats`	Get threats from a specific vendor	`vendorDomain`

Tool Usage Examples

List high-risk vendors:

{
  "tool": "abnormal_vendors_list",
  "parameters": {
    "filter": "riskLevel eq 'High' or riskLevel eq 'Critical'",
    "pageSize": 25
  }
}

Get vendor risk details:

{
  "tool": "abnormal_vendors_get",
  "parameters": {
    "vendorDomain": "example-vendor.com"
  }
}

Get threats from a vendor:

{
  "tool": "abnormal_vendors_threats",
  "parameters": {
    "vendorDomain": "example-vendor.com"
  }
}

Vendor Investigation Workflows

Compromised Vendor Investigation

Review compromise indicators:
- What triggered the detection?
- When was the compromise detected?
- Which of your users are affected?
Analyze recent emails from vendor:
- Check for unusual content or requests
- Look for financial redirect requests
- Review authentication results (SPF/DKIM/DMARC)
Assess blast radius:
- How many users received emails from the compromised vendor?
- Were any emails acted upon (links clicked, attachments opened)?
Remediate:
- Quarantine suspicious emails from the vendor
- Block vendor domain temporarily if active compromise
- Notify affected users not to respond or act on recent vendor emails
Vendor notification:
- Contact the vendor through a verified channel (not email)
- Inform them of the suspected compromise
- Request confirmation when they have secured their accounts
Unblock:
- Once vendor confirms remediation, unblock and monitor

Vendor Risk Review Workflow

List all vendors by risk score - Start with highest risk
Review risk factors - Understand why each vendor is rated as it is
Check for new vendors - First-time vendors warrant extra scrutiny
Compare historical risk - Has risk score increased recently?
Generate report - Summarize vendor risk posture for stakeholders

Payment Redirect Detection

Filter vendor emails with financial keywords - "bank details changed", "new account", "updated payment"
Cross-reference with vendor risk - Is the vendor flagged as compromised?
Verify through side channel - Call the vendor to confirm payment changes
Block if fraudulent - Quarantine and block sender if confirmed BEC

Error Handling

Common API Errors

Code	Message	Resolution
400	Invalid vendor domain	Verify domain format
401	Unauthorized	Check API token
404	Vendor not found	Domain may not be in VendorBase yet
429	Rate limited	Wait and retry

Best Practices

Review critical vendors weekly - High-risk vendors need regular attention
Act immediately on compromises - Compromised vendor emails are highly convincing
Verify payment changes via phone - Never trust payment redirect requests via email
Monitor new vendors closely - First-time vendors lack behavioral baseline
Track risk score trends - Rising scores indicate emerging risk
Correlate with threat data - Vendor risk and threat detections complement each other
Document vendor communications - Maintain a log of verified vendor contacts

Related Skills

Abnormal Threats - Threat detection and analysis
Abnormal Account Takeover - Account takeover detection
Abnormal API Patterns - API authentication and usage