Protecting Against Cross-Platform Account Takeover

Discover the dangers of cross-platform account takeover, the challenges of detecting this attack, and how to implement proactive protection against ATO.
May 23, 2024

This article originally appeared in SC Media.

Email continues on as the biggest threat vector organizations face today, offering cybercriminals a broad attack surface to target for phishing, fraud, and social engineering schemes, as well as what’s arguably the most dangerous type of email attack: account takeover.

A compromised account can open up a number of risks: from exposing sensitive company or customer data, creating a launchpad for additional attacks or fraudulent transactions, and letting hackers move laterally across additional applications and connected platforms. The downstream impact of these attacks is often devastating, not only incurring disruption to the business but also potentially leading to significant financial loss or a jeopardized customer experience.

Security leaders are waking up to this threat. Some of our recent research shows that nearly 70% of security leaders view account takeover attacks as the greatest concern to their organizations—even ahead of news headlining threats like ransomware and phishing. Unfortunately, their concerns are valid. Eighty-three percent of these security leaders reported that their organization had been directly impacted by an account takeover attack within the past year, and nearly one-fifth have been impacted more than 10 times.

The Dangers of Cross-Platform Account Takeover

For many security stakeholders, the phrase “account takeover” usually brings to mind a compromised email account, but these attacks are no longer limited to just the inbox. Today’s cloud application ecosystems are increasingly broad, interdependent, and complex. And as these apps proliferate, they create additional points of entry, each with its own distinct risks if compromised. For example:

  • File storage and sharing services such as Dropbox and Box, as well as contract management applications like Docusign, could enable immediate access to (and exfiltration of) sensitive, regulated, or proprietary data—a treasure trove for launching additional attacks.

  • The compromise of cloud infrastructure accounts such as AWS, Microsoft Azure, or Google Cloud Platform could allow for lateral movement across the corporate network.

  • Threat actors could target collaboration apps like Slack or Zoom in multi-channel attacks coordinated across email and its connected applications.

  • Other popular enterprise software apps like Workday and Salesforce create access to payment and bank account information as well as personal data belonging to employees or customers, leaving them vulnerable to identity theft.

Compromised accounts have been the culprit behind several well-known breaches in recent years. A single compromised password reportedly resulted in the Colonial Pipeline ransomware attack, where attackers gained access to the corporate network through an inactive VPN account. The login credentials belonging to the employee who owned the account were likely reused from another website that was previously compromised.

Electronic Arts also experienced a damaging account compromise, leading to a breach that resulted in the loss of highly valuable intellectual property, including the source code for FIFA 21. This attack began when attackers gained access to an internal Slack channel using stolen session cookies. Once inside Slack, the attackers messaged IT support, asking for a multi-factor authentication token that they claimed they needed because of a lost mobile device. With this token, they could infiltrate the corporate network and then download data and source code.

These are just a couple of the most infamous account takeover examples, but it’s not just major brands that are at risk. Any company that uses cloud-based applications—whether for email, collaboration, identity, or cloud infrastructure—is under threat.

The Challenge of Detecting Cross-Platform Account Takeover

There are two characteristics of cross-platform account takeover attacks that make them difficult to detect.

First, there’s a visibility challenge. It’s one thing to monitor for suspicious activity across the cloud email environment; scaling this across dozens of other apps becomes exponentially more challenging. Maintaining centralized visibility and unified control across diverse collections of cloud services has become especially difficult when different business units are individually responsible for their own apps.

Second, stolen credentials are the precursor to most account compromises, and obtaining those credentials usually takes exploiting a vulnerability that’s notoriously difficult to protect: people. Cybercriminals know that tired, distracted, or careless employees are bound to make mistakes, making them the perfect targets for social engineering attacks that let threat actors phish their account credentials.

The proliferation of generative AI tools over the last year has only made this problem worse by giving threat actors a tool for creating more authentic-looking phishing emails faster—greatly improving their ability to harvest credentials and initiate account takeovers.

Proactive Protection Strategies

There are a number of strategies that organizations are using to mitigate account compromise, including multi-factor authentication (MFA) and encouraging strong password use or implementing secure sign-on (SSO). And while these are important layers of defense that can decrease the risk of account compromise, they won’t eliminate it entirely, and teams shouldn’t treat them as a silver bullet.

We have to remember that today’s criminals are savvy, and can often find ways around standard controls. MFA bypass attacks, for example, have been growing in frequency, with some threat groups now selling MFA bypass-as-a-service kits on the dark web, providing stolen MFA tokens that make it possible to hijack active authentication sessions. MFA bypass has played a role in several high-profile attacks, including the SolarWinds breach.

And while SSO can make security monitoring easier by offering a single source of log data and events, plus the convenience of enforcing strong passwords and MFA from one place, this simplicity also represents a downside. Once compromised, attackers can exploit that same ease and accessibility to move laterally across the network.

So what else can security teams do to supplement these measures?

Improving integration among current security tools can create complete visibility across the cloud ecosystem. Account takeover attacks often feature lateral movement across platforms—teams need the ability to see, correlate, and analyze the multiple behavioral signals across these different applications and platforms. By comparing these signals to baseline levels of user behavior and identifying deviations, organizations can improve their ability to detect potential account compromises rapidly and with confidence.

Cloud application ecosystems will only continue to grow, which means account takeovers will likely continue on as a popular attack tactic for threat actors. Ensuring the strongest protection possible against these attacks will require security teams to look at extending their visibility and control beyond email, with a particular focus on protecting their greatest vulnerability: human behavior.

Abnormal AI can protect your organization from cross-platform account takeover attacks that exploit human behavior. Schedule your demo to see how.

Schedule a Demo
Protecting Against Cross-Platform Account Takeover

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.


See the Abnormal Solution to the Email Security Problem

Protect your organization from the full spectrum of email attacks with Abnormal.

Integrates Insights Reporting 09 08 22

Related Posts

B travelscams
Cybercriminals exploit stolen financial data to offer consumers heavily discounted travel deals. Learn how these email scams work and tips to avoid falling victim to them this summer travel season.
Read More
B Earn Your CPE Credits with Abnormal
Earn your continuing education credits with ISC2 by viewing cybersecurity content from Abnormal Security.
Read More
B Seg Lessons
Discover key insights gleaned from replacing 100+ SEGs for Abnormal customers.
Read More
B Europe Attack Data Blog
Discover what our research uncovered about the European threat landscape and attack trends for organizations in the region.
Read More
Abnormal aims to provide superior detection of email attacks while also directly and indirectly influencing the security awareness of your employees.
Read More
B 6 3 24 BEC Attacks
Discover how cybercriminals obtain corporate data from brokers like ZoomInfo and Apollo to enable targeted business email compromise (BEC) attacks.
Read More