Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From abnormal-security
Analyzes Abnormal Security VendorBase for vendor risk scores, compromised detection, domain analysis, and supply chain email threats. For MSP analysts investigating third-party vendor risks.
npx claudepluginhub wyre-technology/msp-claude-plugins --plugin abnormal-securityHow this skill is triggered — by the user, by Claude, or both
Slash command
/abnormal-security:vendorsThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Abnormal Security's VendorBase provides AI-driven vendor risk assessment by analyzing email communication patterns between your organization and its vendors. It detects compromised vendor accounts, assesses vendor risk levels, and alerts on suspicious vendor behavior. This is critical for protecting against supply chain email attacks where a trusted vendor's account is taken over and used to se...
Conducts vendor security assessments evaluating posture, risks, and generating reports with recommendations. Supports onboarding, periodic reviews, incident response, and due diligence.
Monitors ongoing risk signals and produces risk briefs for known vendors. Activate for: supplier risk monitoring, vendor risk alert, supply risk, risk brief, supplier financial risk, credit rating downgrade, supplier operational risk, supplier compliance risk, geopolitical risk, Tier 2 risk, sub-supplier disruption, supply disruption, risk monitor, risk rating change, risk alert, distress signal, supplier news, country risk, supply chain resilience, CVA, administration, insolvency. USE THIS when a KNOWN risk event has occurred (credit downgrade, financial distress, disruption, regulatory action) and you need to assess its impact. NOT for: classifying or scoring a vendor (use vendor-assessment), vendor onboarding or approval (use vendor-assessment), vendor Kraljic classification (use vendor-assessment), invoice processing (use invoice-reconciliation), carrier performance (use logistics-brief).
Analyzes Abnormal Security email threats like BEC, phishing, malware, social engineering, spam, graymail, and credential theft. Covers threat types, attack vectors, severity assessment, remediation, and investigation workflows.
Share bugs, ideas, or general feedback.
Abnormal Security's VendorBase provides AI-driven vendor risk assessment by analyzing email communication patterns between your organization and its vendors. It detects compromised vendor accounts, assesses vendor risk levels, and alerts on suspicious vendor behavior. This is critical for protecting against supply chain email attacks where a trusted vendor's account is taken over and used to send malicious emails.
| Level | Score Range | Description | Action |
|---|---|---|---|
| Critical | 90-100 | Active compromise detected or high-confidence indicators | Immediate investigation, block vendor emails |
| High | 70-89 | Strong indicators of compromise or suspicious behavior | Priority investigation within 24 hours |
| Medium | 40-69 | Some risk factors present, warrants monitoring | Monitor, review within 1 week |
| Low | 0-39 | Normal vendor behavior, minimal risk | Routine monitoring |
| Factor | Description | Weight |
|---|---|---|
| Authentication Failures | SPF/DKIM/DMARC failures from vendor domain | High |
| Sending Pattern Change | Vendor sending from new IPs or mail servers | High |
| Domain Age | Vendor domain recently registered or changed | Medium |
| Content Anomalies | Unusual email content compared to historical patterns | High |
| Financial Requests | Vendor requesting payment changes or wire transfers | Critical |
| Multiple Recipients | Vendor sending to unusual number of your users | Medium |
| New Contacts | Previously unseen sender addresses from vendor domain | Medium |
| Behavioral Anomaly | Communication patterns deviate from baseline | High |
| Field | Type | Description |
|---|---|---|
vendorDomain | string | Primary domain of the vendor |
vendorName | string | Display name / company name |
riskScore | int | Risk score 0-100 |
riskLevel | string | Critical, High, Medium, Low |
lastAssessed | datetime | When the risk was last calculated |
totalMessages | int | Total emails received from this vendor |
firstSeen | datetime | When the vendor first emailed your org |
| Field | Type | Description |
|---|---|---|
isCompromised | boolean | Whether Abnormal has flagged the vendor as compromised |
compromiseDetectedAt | datetime | When compromise was detected |
compromiseIndicators | string[] | List of specific indicators |
affectedUsers | string[] | Your users targeted by compromised vendor |
| Field | Type | Description |
|---|---|---|
typicalSenders | string[] | Known sender addresses from this vendor |
typicalSubjects | string[] | Common subject line patterns |
communicationFrequency | string | How often vendor emails your org |
lastEmailReceived | datetime | Most recent email from vendor |
primaryContacts | string[] | Your users who communicate most with vendor |
| Tool | Description | Key Parameters |
|---|---|---|
abnormal_vendors_list | List vendors with risk scores | pageSize, pageNumber, filter |
abnormal_vendors_get | Get vendor risk details | vendorDomain |
abnormal_vendors_activity | Get recent vendor email activity | vendorDomain, fromDate, toDate |
abnormal_vendors_threats | Get threats from a specific vendor | vendorDomain |
List high-risk vendors:
{
"tool": "abnormal_vendors_list",
"parameters": {
"filter": "riskLevel eq 'High' or riskLevel eq 'Critical'",
"pageSize": 25
}
}
Get vendor risk details:
{
"tool": "abnormal_vendors_get",
"parameters": {
"vendorDomain": "example-vendor.com"
}
}
Get threats from a vendor:
{
"tool": "abnormal_vendors_threats",
"parameters": {
"vendorDomain": "example-vendor.com"
}
}
| Code | Message | Resolution |
|---|---|---|
| 400 | Invalid vendor domain | Verify domain format |
| 401 | Unauthorized | Check API token |
| 404 | Vendor not found | Domain may not be in VendorBase yet |
| 429 | Rate limited | Wait and retry |