Understanding and Preventing Account Takeover Attacks

Compromised accounts may be the most dangerous email threat that organizations face. Once an account has been compromised, it can be used to send additional attacks—giving attackers many options to steal funds and sensitive information.

The takeover of these accounts is hard to detect because they are a form of business identity theft that happens after criminals receive legitimate login credentials for real business email accounts. Unlike messages that come from bad actors using impostor accounts, once they have access, attackers can send their malicious missives from the actual email accounts of compromised employees, executives, and vendors–establishing far more credibility and bypassing traditional security measures.

Learn how threat actors execute account takeover attacks, how they exploit compromised accounts, and what you can do to mitigate your risk.

Every account takeover starts with a successful login, which requires valid credentials. Phishing, credential stuffing, and brute force password cracking are three ways bad actors can identify the email addresses and passwords they need to hijack email accounts.

Credential Harvesting

Phishing attacks aim to harvest credentials from their targets by impersonating trusted brands, vendors, partners, or executives. By sending an “urgent” message under this kind of disguise, phishing attacks can trick email recipients into visiting a fake website that logs their credentials as they key them in. No matter who is impersonated in these attacks, the combination of trust and time pressure is a powerful tool for credential theft.

Credential Stuffing

Sometimes the goal isn’t getting access to credentials but identifying where to use them. Attackers who have sets of credentials exposed in a data breach can try “stuffing” them into different login pages until they find matches.

Botnets make credential stuffing fast and scalable, and attackers have access to a volume of credentials. For example, the email credentials of most Fortune 500 employees are among the billions available on the dark web.

Brute Force Password Cracking

Brute force password cracking attacks use bots and algorithms to generate guesses until they hit on the right combination of login ID and password to break into an account. These attacks are why passwords must be a certain length and contain a mix of letters, cases, numbers, and special characters to be considered secure.

It’s estimated that a password with at least one upper and lower case letter, one number, a special character, and a length of at least 12 characters could take a computer more than 30,000 years to crack.

No matter how criminals access login credentials, the result is the same: the compromise of an employee, executive, or trusted vendor’s email account. And regardless of the method used to snag the credentials, even one successful compromised account can start a cascade of other internal and external attacks.

Additional Internal Attacks

When an attacker with credentials assumes the victim’s email identity, they can see all the information in the email account, send new phishing requests to people on the victim’s contact list, and access company accounts that use the victim’s same credentials. And with the connected cloud that enterprises today use, a compromise of a Microsoft 365 email account also gives the attacker access to tools like Teams, SharePoint, and OneDrive from which to harvest information.

When the victim is an executive, the attacker also has the “authority” to direct employees to pay fake invoices, shift the victim’s direct deposit to a new bank account, and share insider information for resale, ransom, or corporate espionage.

Third-Party Attacks and Supply Chain Compromise

When attackers take over email accounts that belong to vendors, they can then send fraudulent invoices and requests to update payment account information to any customer of that vendor. Unlike similar bogus requests sent from outside the company’s vendor ecosystem, these messages often use the same email and invoice formats as real messages from the vendor.

Further, because they also come from a known contact, recipients may not think twice about making the payment or account information update. Known as supply chain compromise, this tactic is increasingly popular, with fake invoices discovered by Abnormal requesting up to $2.1 million.

Traditional email security tools don’t scan internal, east-west email traffic, which means they can’t detect internal compromised accounts. And because third-party attacks appear to come from people with whom recipients have business relationships, the recipients are unlikely to question the requests.

Protecting organizations from compromised accounts requires new security solutions that go beyond just scanning inbound messages for malicious payloads. The next generation of email security includes:

Multichannel Analysis to Benchmark Good Sender Behavior

An API integration with Microsoft 365 and Google Workspace enables the solution to analyze communication behavior, login frequency, devices and browsers used, apps accessed, and other signals. The solution quickly learns what normal behavior looks like for each end user so it can determine when something appears anomalous.

Remediation Options for Compromised Accounts

The solution must provide always-on monitoring to look for unexpected changes in user behavior such as changes in content and tone, attempts to bypass multi-factor authentication, and shifts in normal login signals. When these things occur, it should sign users out of active sessions, instantly disable accounts, and trigger password resets.

Vendor Monitoring to Detect External Compromised Accounts

To detect and prevent external compromised accounts from targeting your organization, the solution should also continuously monitor vendor-customer communication to set behavioral benchmarks and conduct real-time risk assessments of each vendor that has a relationship with the organization.

Both internal and third-party account takeovers are relatively easy to execute and incredibly hard for secure email gateways to detect. This means that organizations relying solely on legacy email security solutions will remain at high risk for costly invoice and billing fraud, data breaches, and other high-profile attacks that result from the access that one email account can provide.

Because account takeover attacks exploit trusted email accounts and relationships, organizations need email security that can detect even small shifts in activity and content. As fraudsters deploy more sophisticated messaging techniques, accurately identifying those minor tells is the most effective way to keep messages from compromised accounts out of end users’ inboxes.

To learn more about account takeover, including why these attacks are successful and the full impact of this email-based threat, download the CISO Guide to Account Takeover.