Abstract Yellow Grid

Understanding and Preventing Account Takeover Attacks

Learn how threat actors execute account takeovers, how they exploit compromised accounts, and what you can do to reduce your risk.

August 23, 2022

Compromised accounts may be the most dangerous email threat that organizations face. Once an account has been compromised, it can be used to send additional attacks—giving attackers many options to steal funds and sensitive information.

The takeover of these accounts is hard to detect because they are a form of business identity theft that happens after criminals receive legitimate login credentials for real business email accounts. Unlike messages that come from bad actors using impostor accounts, once they have access, attackers can send their malicious missives from the actual email accounts of compromised employees, executives, and vendors–establishing far more credibility and bypassing traditional security measures.

Learn how threat actors execute account takeover attacks, how they exploit compromised accounts, and what you can do to mitigate your risk.

How Account Takeovers Begin

Every account takeover starts with a successful login, which requires valid credentials. Phishing, credential stuffing, and brute force password cracking are three ways bad actors can identify the email addresses and passwords they need to hijack email accounts.

Credential Harvesting

Phishing attacks aim to harvest credentials from their targets by impersonating trusted brands, vendors, partners, or executives. By sending an “urgent” message under this kind of disguise, phishing attacks can trick email recipients into visiting a fake website that logs their credentials as they key them in. No matter who is impersonated in these attacks, the combination of trust and time pressure is a powerful tool for credential theft.

Credential Stuffing

Sometimes the goal isn’t getting access to credentials but identifying where to use them. Attackers who have sets of credentials exposed in a data breach can try “stuffing” them into different login pages until they find matches.

Botnets make credential stuffing fast and scalable, and attackers have access to a volume of credentials. For example, the email credentials of most Fortune 500 employees are among the billions available on the dark web.

Brute Force Password Cracking

Brute force password cracking attacks use bots and algorithms to generate guesses until they hit on the right combination of login ID and password to break into an account. These attacks are why passwords must be a certain length and contain a mix of letters, cases, numbers, and special characters to be considered secure.

It’s estimated that a password with at least one upper and lower case letter, one number, a special character, and a length of at least 12 characters could take a computer more than 30,000 years to crack.

How Compromised Accounts Are Used

No matter how criminals access login credentials, the result is the same: the compromise of an employee, executive, or trusted vendor’s email account. And regardless of the method used to snag the credentials, even one successful compromised account can start a cascade of other internal and external attacks.

Additional Internal Attacks

When an attacker with credentials assumes the victim’s email identity, they can see all the information in the email account, send new phishing requests to people on the victim’s contact list, and access company accounts that use the victim’s same credentials. And with the connected cloud that enterprises today use, a compromise of a Microsoft 365 email account also gives the attacker access to tools like Teams, SharePoint, and OneDrive from which to harvest information.

When the victim is an executive, the attacker also has the “authority” to direct employees to pay fake invoices, shift the victim’s direct deposit to a new bank account, and share insider information for resale, ransom, or corporate espionage.

Third-Party Attacks and Supply Chain Compromise

When attackers take over email accounts that belong to vendors, they can then send fraudulent invoices and requests to update payment account information to any customer of that vendor. Unlike similar bogus requests sent from outside the company’s vendor ecosystem, these messages often use the same email and invoice formats as real messages from the vendor.

Further, because they also come from a known contact, recipients may not think twice about making the payment or account information update. Known as supply chain compromise, this tactic is increasingly popular, with fake invoices discovered by Abnormal requesting up to $2.1 million.

How to Stop Account Takeovers

Traditional email security tools don’t scan internal, east-west email traffic, which means they can’t detect internal compromised accounts. And because third-party attacks appear to come from people with whom recipients have business relationships, the recipients are unlikely to question the requests.

Protecting organizations from compromised accounts requires new security solutions that go beyond just scanning inbound messages for malicious payloads. The next generation of email security includes:

Multichannel Analysis to Benchmark Good Sender Behavior

An API integration with Microsoft 365 and Google Workspace enables the solution to analyze communication behavior, login frequency, devices and browsers used, apps accessed, and other signals. The solution quickly learns what normal behavior looks like for each end user so it can determine when something appears anomalous.

Remediation Options for Compromised Accounts

The solution must provide always-on monitoring to look for unexpected changes in user behavior such as changes in content and tone, attempts to bypass multi-factor authentication, and shifts in normal login signals. When these things occur, it should sign users out of active sessions, instantly disable accounts, and trigger password resets.

Vendor Monitoring to Detect External Compromised Accounts

To detect and prevent external compromised accounts from targeting your organization, the solution should also continuously monitor vendor-customer communication to set behavioral benchmarks and conduct real-time risk assessments of each vendor that has a relationship with the organization.

Preventing the Weaponization of Trusted Email Accounts

Both internal and third-party account takeovers are relatively easy to execute and incredibly hard for secure email gateways to detect. This means that organizations relying solely on legacy email security solutions will remain at high risk for costly invoice and billing fraud, data breaches, and other high-profile attacks that result from the access that one email account can provide.

Because account takeover attacks exploit trusted email accounts and relationships, organizations need email security that can detect even small shifts in activity and content. As fraudsters deploy more sophisticated messaging techniques, accurately identifying those minor tells is the most effective way to keep messages from compromised accounts out of end users’ inboxes.

To learn more about account takeover, including why these attacks are successful and the full impact of this email-based threat, download the CISO Guide to Account Takeover.


Prevent the Attacks That Matter Most

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Demo 2x 1

See the Abnormal Solution to the Email Security Problem

Protect your organization from the attacks that matter most with Abnormal Integrated Cloud Email Security.

Related Posts

B 09 29 22 CISO Cybersecurity Awareness Month
October is here, which means Cybersecurity Awareness Month is officially in full swing! These five tips can help security leaders take full advantage of the month.
Read More
B Email Security Challenges Blog 09 26 22
Understanding common email security challenges caused by your legacy technology will help you determine the best solution to improve your security posture.
Read More
B 5 Crucial Tips
Retailers are a popular target for threat actors due to their wealth of customer data and availability of funds. Here are 5 cybersecurity tips to help retailers reduce their risk of attack.
Read More
B 3 Essential Elements
Legacy approaches to managing unwanted mail are neither practical nor scalable. Learn the 3 essential elements of modern, effective graymail management.
Read More
B Back to School
Discover how threat group Chiffon Herring leverages impersonation and spoofed email addresses to divert paychecks to mule accounts.
Read More
B 09 06 22 Rearchitecting a System Blog
We recently shared a look at how the Abnormal engineering team overhauled our Unwanted Mail service architecture to accommodate our rapid growth. Today, we’re diving into how the team migrated traffic to the new architecture—with zero downtime.
Read More
B Industry Leading CIS Os
Stay up to date on the latest cybersecurity trends, industry news, and best practices by following these 12 innovative and influential thought leaders on social media.
Read More
B Podcast Engineering 11 08 24 22
In episode 11 of Abnormal Engineering Stories, David Hagar, Director of Engineering and Abnormal Head of UK Engineering, continues his conversation with Zehan Wang, co-founder of Magic Pony.
Read More
B Overhauled Architecture Blog 08 29 22
As our customer base has expanded, so has the volume of emails our system processes. Here’s how we overcame scaling challenges with one service in particular.
Read More