Email Account Takeover Protection

When attackers compromise email credentials, the possibilities are endless. Detect and mitigate email account takeovers in real time when you combine Abnormal Inbound Email Security with the Email Account Takeover Protection add-on module.
Get a Demo
DemoCase StudiesCapabilitiesFeaturesDeployment OutcomesFAQs

Account Takeovers Lead to Costly Data Breaches


Nearly 80% of Fortune 1000 organizations have at least one compromised account.
Source: Abnormal Data


33 million email credentials were stolen in 2021.
Source: 2022 Verizon DBIR


Compromised credentials leading to data breaches cost an average of $4.5 million.
Source: IBM Cost of a Data Breach 2022

Legacy Solutions Can't Detect Compromised Internal Accounts

Credential compromise is the most common cause of data breaches. Traditional email security solutions can’t effectively detect account takeovers in progress because they lack visibility into identity, behavior, and device attributes that indicate a user’s account has been hijacked.

Abnormal Inbound Email Security with Email Account Takeover Protection

Abnormal baselines normal behavior for every end user by analyzing signals like login frequency, authentication methods, locations, devices, operating systems, browsers, and more. Armed with this knowledge, Abnormal detects when employee accounts have been compromised, remediates any messages sent from them, and disarms the account before attackers can do further damage. Working together with Abnormal Inbound Email Security, the Email Account Takeover Protection module stops account takeover attempts to prevent additional attacks.

What Our Customers Say

Our customer-first approach is at the heart of everything we do.
"I really like the account compromise feature that autodetects threats and locks users out of those mailboxes. That was the real cherry on top for me, because it gives me peace of mind that not only is Abnormal blocking all the attacks, but also that if one actually succeeded, Abnormal auto-remediates that mailbox."
Jim Robinson, CIO, SuperConcepts
Read Case Study

How Abnormal Stops Account Takeovers in Real Time

Detects Compromised Email Accounts

Abnormal observes end user behavior for activity that deviates from their known normal, including login behavior, MFA methods, too-fast-to-travel locations, mail rule changes, change in email content and tone, unusual email recipients, and more. This behavioral analysis uncovers subtle anomalies to precisely detect compromised accounts.

Recreates the Crime Scene in Detail

Abnormal creates a case file of the account takeover diagnosis to organize the evidence for manual review. The analysis includes signals across email systems, Active Directory, devices, browsers, applications and more to provide a conclusive judgment and enable security teams to take broader downstream actions to mitigate the damage.

Kicks Attackers Out of Hijacked Accounts*

Only Abnormal ejects users out of compromised email accounts by automatically blocking account access, triggering a password reset, and signing out of all active sessions. Administrators can choose to auto-remediate compromised accounts or manually review cases.
*Currently available only for Microsoft 365.

Remediates Emails Sent From Compromised Accounts

When malicious emails from compromised accounts are sent to other employees, Abnormal automatically remediates them to hidden folders so users cannot see or engage with them. Unlike secure email gateways, Abnormal has full visibility into internal-to-internal email traffic, empowering you to inspect and remediate malicious lateral messages.

Account Takeover Protection Features

Real-Time Disarming

When an attack is in progress, and an account has been taken over, there is no time to waste. Abnormal can be configured to automatically remediate account takeovers in progress. A positively identified compromised account will be immediately signed out of all open sessions, the user will be blocked from account access, and the password will be reset.
*This feature available for Microsoft 365 customers only.

Account Takeover Discovery

Abnormal identifies unusual user activity across files, devices, applications, and more in Microsoft 365 and Google Workspaces environments. By assessing abnormalities in user login locations, devices used for work, email content and tone, and mail filtering rules and configurations, Abnormal makes the determination on whether or not an account has been compromised.

Account Takeover Investigation

Once an account takeover has been detected and remediated, your team will most likely need to open a detailed investigation into the compromise to understand what parts of the business may have been affected and where a breach may have occurred. Abnormal Account Takeover Protection automatically opens an Abnormal Case. The case is enriched with a detailed activity timeline, plotting when suspicious events occurred and remediation steps taken.

Lateral Phishing Detection and Remediation

Lateral phishing attacks are some of the most difficult to detect as East-West (internal) email traffic is invisible to most traditional security solutions. Abnormal’s lateral phishing compromise detection capability uses signals such as unusual email tone and content, changes to internal sender location and devices, alongside other real-time activity to automatically find and remediate malicious email communications originating from inside the corporate perimeter. Once these emails are discovered, they are rerouted to a hidden folder where employees cannot access them.

Deployment Outcomes

Costs Mitigated
Average cost savings with each compromised account remediated.
Dwell Time Eliminated
6 Seconds
Time to remediate compromised accounts post-detection.

Frequently Asked Questions About Account Takeover Protection

Trusted by Global Enterprises

Detect, Disable, and Remediate Compromised Accounts.

With an AI-based approach to detection, you can catch account takeover attempts that other solutions miss.
See a Demo

Abnormal Resources