Abnormal is an advanced email protection platform that uses artificial intelligence (AI) and machine learning to detect and prevent email-based threats such as phishing, business email compromise (BEC) and account takeover.

Unlike traditional email filters, Abnormal understands what "normal" looks like across your email environment – from communication patterns to login behaviors. By detecting anomalies, Abnormal can stop threats before they reach your inbox, helping protect personal data, university systems and financial assets.

OSU receives a large volume of phishing attacks every day. These messages:

• Disrupt academic and administrative work
• Fool experienced users with increasingly sophisticated tactics
• Can result in compromised accounts, data breaches and stolen paychecks
• Require time-consuming recovery efforts, disrupting work or study significantly

Abnormal provides a smarter, automated way to detect and stop these threats. It analyzes:

• Suspicious links and attachments
• Unusual login locations or access patterns
• Changes in email content, tone or behavior
• Alterations to inbox rules and mail forwarding

This enables faster responses to threats, minimizing impact and improving security for everyone across the university.

Abnormal is integrated with Microsoft 365 and automatically detects and removes malicious email from a user's inbox – often within milliseconds of delivery. You may notice:

• Fewer phishing or suspicious emails
• Occasional instances where a message appears, then disappears
• No more daily spam digests or manual quarantine review

Although protection is improved, you should continue to report suspicious messages to help further enhance our threat detection capabilities.

No – this behavior is normal. Abnormal reviews emails in a secure processing environment after delivery. If it determines a message is malicious, it removes it automatically. If you're watching your inbox closely, you may briefly see a message appear and then disappear.

If you're ever unsure, contact the OSU IT Helpdesk for confirmation.

On rare occasions, legitimate emails may be flagged by the system.

Before contacting the IT Helpdesk, please first check the following folders in your email:

• Promotions (created by Abnormal to filter marketing and bulk email)
• Junk E-mail (Microsoft's built-in spam filtering folder)

If you still cannot locate the email, please open a ticket with the IT Helpdesk and include the following information:

• Sender's email address
• Subject line
• Approximate date/time the email was sent

The IT team will review the message's status and retrieve it if appropriate. Abnormal will also learn from this feedback to improve future accuracy.

If you're using Microsoft 365:

1. Select the email in Outlook.
2. Click the "Report Message" button in the toolbar.
3. Choose Phishing or Spam, as appropriate.

This forwards the message to Enterprise IT's security team and helps improve protection for everyone.

Graymail refers to messages that aren’t quite spam but aren’t always wanted—like newsletters, ads and bulk announcements. Oklahoma State University uses Abnormal Security to help manage Graymail by filtering these messages into a special folder called Promotions.

The Promotions folder is created in your mailbox to hold messages that Abnormal has identified as potentially non-critical or promotional. This helps keep your Inbox clean and focused on more important communications.

You can train the system to improve its accuracy by moving messages in or out of the Promotions folder.

Mark a Message as NOT Graymail (False Positive)

• If a message was sent to the Promotions folder but you want it in your Inbox:
  • Move the message from the Promotions folder to your Inbox (or any other folder).
  • This tells Abnormal that the message should not be treated as graymail.

Tip: Moving it to the Inbox is the most effective way to mark it as important.

• Mark a Message as Graymail (False Negative)
  • If a message shows up in your Inbox but you think it belongs in Promotions:
  • Move the message from your Inbox to the Promotions folder.
  • This helps train the system to recognize similar messages as graymail in the future.

Tip: You can do this for messages in other folders too—just move them to Promotions.

If you delete the promotions folder, all promotional emails will still be filtered there, but the folder itself will now appear inside your Deleted Items folder.

If you wish to move it back to your inbox:

1. In Outlook, go to your Deleted Items folder.
2. Find the Promotions folder inside.
3. Right-click on the Promotions folder and choose Move > Other Folder
4. Select your top-level mailbox folder (usually your email address) and click OK

If you hard delete (permanently delete) the Promotions folder, Abnormal AI will automatically recreate it the next time it filters a message. If it doesn't reappear within a day, please reach out to the IT Helpdesk for assistance.

• Move them to your Inbox. This tells the system they are important.
• If it keeps happening, contact the IT Helpdesk and we can assist with fine-tuning.

Malicious emails remain the most common method in cyberattacks. These include phishing messages, fake job scams, financial fraud and malware-laden attachments.

Learn how to:

• Protect yourself from common threats
• Recognize suspicious messages
• Report phishing and fraud effectively

Visit: Malicious Emails and Financial Scams

Safe Links is a Microsoft Defender for Office 365 feature that protects users by scanning and rewriting URLs in real time to detect malicious links. If a link is found to be dangerous, access is blocked and the user is notified.

Safe Links has been active in email for some time. We are now expanding this protection to additional Microsoft 365 services, including:

• Microsoft Teams
• Office desktop apps (Word, Excel, PowerPoint)
• Office web apps (Word Online, Excel Online, etc.)
• SharePoint Online
• OneDrive for Business

This expansion is part of our continued efforts to protect university data and users from phishing, malware and other online threats.

If you're using Microsoft 365:

1. Select the email in Outlook.
2. Click the "Report Message" button in the toolbar.
3. Choose Phishing or Spam, as appropriate.

This forwards the message to Enterprise IT's security team and helps improve protection for everyone.

Email: URLs will continue to appear rewritten (e.g., starting with https://nam01.safelinks.protection.outlook.com/...and scanned when clicked.

Teams, Office apps, SharePoint, and OneDrive: URLs will be protected by Safe Links but may not appear rewritten. However, links will still be scanned in real-time when clicked.

No. Safe Links is designed to maintain the original functionality of links. Users can continue clicking links as usual, and protection will happen behind the scenes.

If Microsoft detects a link is unsafe, you will see a warning message. Access to the malicious content will be blocked to protect you and your device.

GreenArrow is a service provided by OSU that allows faculty and staff to relay email from their servers or printers using SMTP over port 25.

To use the LSMTP relay service, the device must:

• Be located on the OSU Network
• Have a valid DHCP reservation
  • Request or modify a reservation using the FAQ page: it.okstate.edu/services/internet-protocol-assignment/index.html
• From address should be a shared or department-owned email address in the OSU A&M system.
• When possible, use a top-level domain owned by the OSU and A&M system.
• The domain must include:
  • A valid SPF record authorizing LSMTP
  • A properly configured DKIM signature

Yes. The maximum allowed message size is 50 MB, including attachments and headers. Messages exceeding this limit will be rejected during the SMTP handshake.

Yes. To request access for a device, you may use one of the following methods:

Option 1: Submit a request through the New LSMTP Email Reservation Request Form (authentication required)

Option 2: Open a ticket through the IT Request Help website

When submitting your request, please include the following information in the Issue Description field:

• Your phone number
• Administrator of device name
• Administrator of device campus email
• Device type (e.g., printer, server, appliance)
• Fully qualified domain name of the device
• Ethernet IPv4 address
• Ethernet MAC or physical address
• Is the device password protected? (Yes/No)
• Send-as email address used by the device
• Any additional information