Protect Against Cloud Account Takeovers

Prevent your user accounts from becoming compromised and used to launch additional attacks.

Read Our CISO Guide to Account Takeover
Account Takeover Header V2


of account takeover victims are in the United States

Source: Javelin Strategy & Research, 2020


increase in week-over-week account takeover attempts

Source: Abnormal Security, Q3 2021


of companies are targeted by account takeovers each week

Source: Abnormal Security, Q3 2021

Recognizing Cloud Account Takeovers

Account takeovers occur when attackers secure credentials to email accounts within an organization. They can do this through credential phishing campaigns, brute force attacks, or by purchasing passwords online. Once they have access to the account, they can pose as that person to launch additional attacks, or access other systems, including financial portals or cloud-based storage. In these attacks, the threat actor:


Creates a phishing campaign to secure credentials or buys them online


Uses the credentials to access a cloud email account


Lurks inside the account to understand important conversations


Launches other attacks, posing as the original victim

abnormal detecting a phishing attack

Detecting an Account Takeover Attack

This email passed the secure email gateway because it comes from an actual account. Despite having multiple links and attachments, the email account is a real user, taking part in an ongoing conversation.

However, there is suspicious activity behind the scenes:

  • The email BCC’ed a variety of people, none of whom work at the company

  • A mail rule was created to move messages from internal senders to the Junk folder

  • The account was logged into from San Francisco three hours ago, and again from Hong Kong twenty minutes ago

Based on this unusual activity, it’s clear that this account is compromised and now being used to send additional attacks


Stop, Investigate, and Respond to Cloud Account Takeovers with Confidence

detecting a potential account takeover based on location

Correlate Thousands of Abnormal Signals

This email about a new vendor was sent from Pam to Oscar, but the email originated from Nigeria — thousands of miles from the Scranton office.

Pam has never before traveled to Nigeria and the account is being simultaneously accessed from Pennsylvania. These signals indicate that Pam’s email account is being controlled from two locations.

By understanding and baselining normal login frequency, locations, devices, browsers IP addresses, and more, Abnormal can determine when accounts have been accessed by the end user, and when they’ve been accessed by a malicious actor.

detecting account takeover due to new mail filter rules and unusual recipients

Understand Mail Filter Rule Changes and Unusual Email Recipients

Prior to sending the email, Pam set new mail filter rules to move emails from Oscar to Junk, and forward them to an external address.

This is very uncommon behavior for Pam, who has never before used a mail filter rule. These rules are also common in cases of account takeovers, where threat actors wish to view all incoming mail, without needing to constantly access the account.

Abnormal notices the mail filter rule changes and determines that it is inconsistent with Pam’s usual patterns. We also recognize that the external email address is from Nigeria — the same location as the other login.

detecting suspicious email patterns

Detect Suspicious Correspondence Patterns in East-West Traffic

This message from Pam asks Angela to pay an invoice from a new vendor, but Pam has never emailed Angela before. She always emails Oscar when new invoices arrive.

The threat actor may understand that Angela is an accountant and realize that she’s the best person to email about a fake invoice. However, he hasn’t realized that Pam never works with Angela.

Abnormal understands behavior and relationships and realizes that Pam always emails Oscar with new vendor invoices. This abnormal interdepartmental correspondence, particularly relating to financial information, is a key indicator that the account is compromised.

automatically remediating an account takeover

Instantly Detect and Remediate

Pam has yet to realize her account has been compromised and is being used to send additional invoice fraud and business email compromise attacks.

It’s uncommon for employees to realize their account has been compromised. In some cases, threat actors will wait for weeks or even months before they decide to use the account for additional attacks.

However, Abnormal recognizes these signals immediately and alerts Security Operations teams when an account has been compromised. Abnormal blocks account access, signs out the account from all active sessions, and triggers a password reset.

recognizing external account takeover from vendor

Recognize ATO Signals from External Accounts

In this case, Pam was an internal employee who was compromised. However, compromised accounts of external vendors and partners can also be used to attack the Dunder Mifflin organization.

External account compromises are historically more difficult to detect, given that threat actors typically hijack existing conversations and send attacks to known partners.

The native Abnormal API integration to Office 365 automatically maps organizations and business processes in your supply chain for continuous behavior analysis. Using VendorBase, it enriches these insights using signals observed across the entire enterprise ecosystem.

By analyzing identities, content, and behavior, Abnormal precisely determines when an external account has been compromised to prevent socially engineered account compromise and fraud.


Trusted by Global Enterprises


See the Abnormal Solution to the Email Security Problem

Protect your organization from the full spectrum of email attacks with Abnormal.

Integrates Insights Reporting 09 08 22

Related Resources

B 1500x1500 Email Security Datasheet L2 R1
Prevent costly data breaches by detecting and mitigating email account takeovers in real time.
Read More
B 02 14 23 Gartner report 2024
Abnormal’s fundamentally different approach to cloud email security provides the best protection against existing and emerging attack techniques.
Read More
Everise case study cover
By mid-2021, Everise had more than 11,000 employees to meet new demand for outsourced services. But the shift to remote work brought new email security risks. “Our people are good at what they do, but they’re not email security specialists, and attackers know that."
Read More
B 02 08 23 1500x1500 H12023 Threat Report
Abnormal’s latest report on business email compromise trends and statistics finds that employees open 28% of attacks and reply to 15% of them.
Download Now
Webinar cover 1
Traditional cybersecurity infrastructure can’t stop new and emerging threats, particularly in the email channel, and cybercriminals are constantly changing their methods to stay one step ahead. Hear how Theresa Payton, first female White House CIO, thinks about these attacks.
Watch Now
Blog purple person
To detect account takeovers, Abnormal Security’s machine learning algorithms utilize many factors related to location, devices, and applications. However, until now, much of that information was not exposed to users. In an effort to be as customer-centric as possible...
Read More