ATO currently surfaces a variety of event categories across Microsoft 365 and Google Workspaces. Specifically, sign-in activity (including login location, devices, browsers, etc.), changes to mail filtering rules, and Azure risk events (such as users on known malicious IPs or anomalous token activity) are captured in Microsoft 365, while sign-in activity and mail filtering are supported in Google Workspaces.
Account Takeovers Lead to Costly Data Breaches
Common
Nearly 80% of Fortune 1000 organizations have at least one compromised account.
Source: Abnormal Data
Frequent
33 million email credentials were stolen in 2021.
Source: 2022 Verizon DBIR
Costly
Compromised credentials leading to data breaches cost an average of $4.5 million.
Source: IBM Cost of a Data Breach 2022
PROBLEM:
Legacy Solutions Can't Detect Compromised Internal Accounts
Credential compromise is the most common cause of data breaches. Traditional email security solutions can’t effectively detect account takeovers in progress because they lack visibility into identity, behavior, and device attributes that indicate a user’s account has been hijacked.
THE SOLUTION:
Abnormal Inbound Email Security with Email Account Takeover Protection
Abnormal baselines normal behavior for every end user by analyzing signals like login frequency, authentication methods, locations, devices, operating systems, browsers, and more.
Armed with this knowledge, Abnormal detects when employee accounts have been compromised, remediates any messages sent from them, and disarms the account before attackers can do further damage.
Working together with Abnormal Inbound Email Security, the Email Account Takeover Protection module stops account takeover attempts to prevent additional attacks.
What Our Customers Say
Our customer-first approach is at the heart of everything we do.
"I really like the account compromise feature that autodetects threats and locks users out of those mailboxes. That was the real cherry on top for me, because it gives me peace of mind that not only is Abnormal blocking all the attacks, but also that if one actually succeeded, Abnormal auto-remediates that mailbox."
Jim Robinson, CIO, SuperConcepts
Read Case Study
How Abnormal Stops Account Takeovers in Real Time
Detects Compromised Email Accounts
Abnormal observes end user behavior for activity that deviates from their known normal, including login behavior, MFA methods, too-fast-to-travel locations, mail rule changes, change in email content and tone, unusual email recipients, and more. This behavioral analysis uncovers subtle anomalies to precisely detect compromised accounts.

Recreates the Crime Scene in Detail
Abnormal creates a case file of the account takeover diagnosis to organize the evidence for manual review. The analysis includes signals across email systems, Active Directory, devices, browsers, applications and more to provide a conclusive judgment and enable security teams to take broader downstream actions to mitigate the damage.

Kicks Attackers Out of Hijacked Accounts*
Only Abnormal ejects users out of compromised email accounts by automatically blocking account access, triggering a password reset, and signing out of all active sessions. Administrators can choose to auto-remediate compromised accounts or manually review cases.
*Currently available only for Microsoft 365.

Remediates Emails Sent From Compromised Accounts
When malicious emails from compromised accounts are sent to other employees, Abnormal automatically remediates them to hidden folders so users cannot see or engage with them. Unlike secure email gateways, Abnormal has full visibility into internal-to-internal email traffic, empowering you to inspect and remediate malicious lateral messages.

Account Takeover Protection Features
Real-Time Disarming
When an attack is in progress, and an account has been taken over, there is no time to waste. Abnormal can be configured to automatically remediate account takeovers in progress. A positively identified compromised account will be immediately signed out of all open sessions, the user will be blocked from account access, and the password will be reset.
*This feature available for Microsoft 365 customers only.
Account Takeover Discovery
Abnormal identifies unusual user activity across files, devices, applications, and more in Microsoft 365 and Google Workspaces environments. By assessing abnormalities in user login locations, devices used for work, email content and tone, and mail filtering rules and configurations, Abnormal makes the determination on whether or not an account has been compromised.
Account Takeover Investigation
Once an account takeover has been detected and remediated, your team will most likely need to open a detailed investigation into the compromise to understand what parts of the business may have been affected and where a breach may have occurred. Abnormal Account Takeover Protection automatically opens an Abnormal Case. The case is enriched with a detailed activity timeline, plotting when suspicious events occurred and remediation steps taken.
Lateral Phishing Detection and Remediation
Lateral phishing attacks are some of the most difficult to detect as East-West (internal) email traffic is invisible to most traditional security solutions. Abnormal’s lateral phishing compromise detection capability uses signals such as unusual email tone and content, changes to internal sender location and devices, alongside other real-time activity to automatically find and remediate malicious email communications originating from inside the corporate perimeter. Once these emails are discovered, they are rerouted to a hidden folder where employees cannot access them.
Deployment Outcomes
Costs Mitigated
$54K
Average cost savings with each compromised account remediated.
Dwell Time Eliminated
6 Seconds
Time to remediate compromised accounts post-detection.
Frequently Asked Questions About Account Takeover Protection
Trusted by Global Enterprises
Detect, Disable, and Remediate Compromised Accounts.
With an AI-based approach to detection, you can catch account takeover attempts that other solutions miss.
See a Demo
