The Abnormal Connection is available in Enforce through Valimail Labs (opt-in via Personal Settings).
Overview
The Abnormal Security integration lets you report threats from Valimail's Active Threat Detection report directly into Abnormal's Detection 360 (D360) system, in a single action, without leaving Valimail.
When Valimail catches a lookalike domain or phishing attempt that slipped past Abnormal's filtering, you can select one or more threats and click Report to Abnormal. Valimail creates a D360 ticket in Abnormal for each threat, flagging it as a missed detection and prompting Abnormal to investigate and adjust its filtering.
This integration is one-directional: Valimail sends data to Abnormal. There is no inbound data flow from Abnormal into Valimail.
Before you begin, make sure you have:
A Valimail Enforce plan with the Integrations feature enabled (available via Labs opt-in)
You have configured a mailbox connector (either Microsoft 365 or Google Workspace) so the Active Threat Detection report can populate threats.
An active Abnormal Security account with admin access to the Abnormal portal at portal.abnormalsecurity.com
Step 1: Generate Your API Key in Abnormal
The Abnormal connector authenticates using your existing Abnormal Security API key; no additional provisioning is required.
Log in to the Abnormal Security portal at https://portal.abnormalsecurity.com.
Click Settings in the left navigation.
Click Integrations.
Scroll to the Additional Integrations section and click + Connect on the Abnormal REST API card.
Your unique API Access Token will be displayed. Copy it and store it somewhere safe; you will need it in Step 3.
Important: Treat your API key like a password. Do not share it or commit it to any code repository.
Step 2: Whitelist Valimail's Outbound IP Addresses in Abnormal
Abnormal Security restricts API access by source IP. Before the integration can function, you must add Valimail's outbound IP addresses to the IP Safelist in the Abnormal portal.
On the same Abnormal REST API integration page from Step 1, locate the IP Safelist field.
Add each of the following Valimail egress IP addresses:
34.214.51.150/32and35.160.147.233/32Click Save.
Note: Abnormal does not accept wildcard entries (e.g., 0.0.0.0/0). Each specific IP must be entered.
Step 3: Connect Abnormal in the Valimail Integrations Section
In Valimail, navigate to Account Settings from the top right.
Click on Integrations in the left navigation.
Locate the Abnormal Security connector tile and click Connect.
Paste your Abnormal API key into the API Key field.
Click Save. Valimail will validate the key and confirm the connection.
Once connected, the Abnormal connector will appear as active in your Integrations section.
If the Integrations section is not visible under Account Settings, you’ll need to enable the Labs feature first by following the steps provided here.
Step 4: Report Threats to Abnormal from Active Threat Detection
With the connector active, you can now escalate threats directly from the Active Threat Detection report.
Navigate to the Active Threat Detection report in Valimail Enforce (under the REPORTS section in the left navigation).
Select the Actions drop-down for the threat listed.
Click Report to Abnormal in the action bar.
Valimail sends a report to Abnormal's D360 system for each selected threat. A success notification will confirm the action.
Each reported threat will display a Reported to Abnormal status indicator in the report.
Inside Abnormal, a Detection 360 ticket will be created for each reported threat, flagging it as a missed detection for Abnormal's team to investigate.
Troubleshooting
The connection fails when saving the API key.
Verify that the API key was copied in full with no leading or trailing spaces, and that the Valimail egress IPs from Step 2 have been added to the Abnormal IP Safelist. API calls from unlisted IPs are rejected by Abnormal. If you have recently rotated your API key in Abnormal, reconnect using the new key.
The "Report to Abnormal" button does not appear in the Active Threat Detection report.
The Integrations feature must be enabled on your account. If you have completed Steps 1–3 but the action is still not visible, contact Valimail Support to confirm your account entitlement.
I reported a threat, but no D360 ticket appeared in Abnormal.
Confirm the Valimail IP addresses are correctly entered in the Abnormal IP Safelist and that there are no typos. Then check the Abnormal portal for any service disruptions. If the issue persists, contact Valimail Support with the timestamp of the failed report.