chat
expand_more

Protecting Against Cross-Platform Account Takeover

Discover the dangers of cross-platform account takeover, the challenges of detecting this attack, and how to implement proactive protection against ATO.
May 23, 2024

This article originally appeared in SC Media.

Email continues on as the biggest threat vector organizations face today, offering cybercriminals a broad attack surface to target for phishing, fraud, and social engineering schemes, as well as what’s arguably the most dangerous type of email attack: account takeover.

A compromised account can open up a number of risks: from exposing sensitive company or customer data, creating a launchpad for additional attacks or fraudulent transactions, and letting hackers move laterally across additional applications and connected platforms. The downstream impact of these attacks is often devastating, not only incurring disruption to the business but also potentially leading to significant financial loss or a jeopardized customer experience.

Security leaders are waking up to this threat. Some of our recent research shows that nearly 70% of security leaders view account takeover attacks as the greatest concern to their organizations—even ahead of news headlining threats like ransomware and phishing. Unfortunately, their concerns are valid. Eighty-three percent of these security leaders reported that their organization had been directly impacted by an account takeover attack within the past year, and nearly one-fifth have been impacted more than 10 times.

The Dangers of Cross-Platform Account Takeover

For many security stakeholders, the phrase “account takeover” usually brings to mind a compromised email account, but these attacks are no longer limited to just the inbox. Today’s cloud application ecosystems are increasingly broad, interdependent, and complex. And as these apps proliferate, they create additional points of entry, each with its own distinct risks if compromised. For example:

  • File storage and sharing services such as Dropbox and Box, as well as contract management applications like Docusign, could enable immediate access to (and exfiltration of) sensitive, regulated, or proprietary data—a treasure trove for launching additional attacks.

  • The compromise of cloud infrastructure accounts such as AWS, Microsoft Azure, or Google Cloud Platform could allow for lateral movement across the corporate network.

  • Threat actors could target collaboration apps like Slack or Zoom in multi-channel attacks coordinated across email and its connected applications.

  • Other popular enterprise software apps like Workday and Salesforce create access to payment and bank account information as well as personal data belonging to employees or customers, leaving them vulnerable to identity theft.

Compromised accounts have been the culprit behind several well-known breaches in recent years. A single compromised password reportedly resulted in the Colonial Pipeline ransomware attack, where attackers gained access to the corporate network through an inactive VPN account. The login credentials belonging to the employee who owned the account were likely reused from another website that was previously compromised.

Electronic Arts also experienced a damaging account compromise, leading to a breach that resulted in the loss of highly valuable intellectual property, including the source code for FIFA 21. This attack began when attackers gained access to an internal Slack channel using stolen session cookies. Once inside Slack, the attackers messaged IT support, asking for a multi-factor authentication token that they claimed they needed because of a lost mobile device. With this token, they could infiltrate the corporate network and then download data and source code.

These are just a couple of the most infamous account takeover examples, but it’s not just major brands that are at risk. Any company that uses cloud-based applications—whether for email, collaboration, identity, or cloud infrastructure—is under threat.

The Challenge of Detecting Cross-Platform Account Takeover

There are two characteristics of cross-platform account takeover attacks that make them difficult to detect.

First, there’s a visibility challenge. It’s one thing to monitor for suspicious activity across the cloud email environment; scaling this across dozens of other apps becomes exponentially more challenging. Maintaining centralized visibility and unified control across diverse collections of cloud services has become especially difficult when different business units are individually responsible for their own apps.

Second, stolen credentials are the precursor to most account compromises, and obtaining those credentials usually takes exploiting a vulnerability that’s notoriously difficult to protect: people. Cybercriminals know that tired, distracted, or careless employees are bound to make mistakes, making them the perfect targets for social engineering attacks that let threat actors phish their account credentials.

The proliferation of generative AI tools over the last year has only made this problem worse by giving threat actors a tool for creating more authentic-looking phishing emails faster—greatly improving their ability to harvest credentials and initiate account takeovers.

Proactive Protection Strategies

There are a number of strategies that organizations are using to mitigate account compromise, including multi-factor authentication (MFA) and encouraging strong password use or implementing secure sign-on (SSO). And while these are important layers of defense that can decrease the risk of account compromise, they won’t eliminate it entirely, and teams shouldn’t treat them as a silver bullet.

We have to remember that today’s criminals are savvy, and can often find ways around standard controls. MFA bypass attacks, for example, have been growing in frequency, with some threat groups now selling MFA bypass-as-a-service kits on the dark web, providing stolen MFA tokens that make it possible to hijack active authentication sessions. MFA bypass has played a role in several high-profile attacks, including the SolarWinds breach.

And while SSO can make security monitoring easier by offering a single source of log data and events, plus the convenience of enforcing strong passwords and MFA from one place, this simplicity also represents a downside. Once compromised, attackers can exploit that same ease and accessibility to move laterally across the network.

So what else can security teams do to supplement these measures?

Improving integration among current security tools can create complete visibility across the cloud ecosystem. Account takeover attacks often feature lateral movement across platforms—teams need the ability to see, correlate, and analyze the multiple behavioral signals across these different applications and platforms. By comparing these signals to baseline levels of user behavior and identifying deviations, organizations can improve their ability to detect potential account compromises rapidly and with confidence.

Cloud application ecosystems will only continue to grow, which means account takeovers will likely continue on as a popular attack tactic for threat actors. Ensuring the strongest protection possible against these attacks will require security teams to look at extending their visibility and control beyond email, with a particular focus on protecting their greatest vulnerability: human behavior.


Abnormal AI can protect your organization from cross-platform account takeover attacks that exploit human behavior. Schedule your demo to see how.

Schedule a Demo
Protecting Against Cross-Platform Account Takeover

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Get AI Protection for Your Human Interactions

Protect your organization from socially-engineered email attacks that target human behavior.
Request a Demo
Request a Demo

Related Posts

B Proofpoint Customer Story Blog 8
A Fortune 500 transportation and logistics leader blocked more than 6,700 attacks missed by Proofpoint and reclaimed 350 SOC hours per month by adding Abnormal to its security stack.
Read More
B Gartner MQ 2024 Announcement Blog
Abnormal Security was named a Leader in the 2024 Gartner Magic Quadrant for Email Security Platforms and positioned furthest for Completeness of Vision.
Read More
B Gift Card Scams Tricker to Spot Blog
Learn why gift card scams are becoming more difficult to identify, how cybercriminals evolve their tactics, and strategies to protect your organization.
Read More
B Offensive AI 12 16 24
Learn how AI is used in cybersecurity, what defensive AI vs. offensive AI means, and how to use defensive AI to combat offensive AI.
Read More
B Proofpoint Customer Story Blog 7
See how Abnormal's AI helped a Fortune 500 insurance provider detect 27,847 threats missed by Proofpoint and save 6,600+ hours in employee productivity.
Read More
B Cyberattack Forecast Emerging Threats Blog
Uncover the latest email threats and strategies to strengthen your cybersecurity and prepare for 2025.
Read More