GF 09 720x478 2x

Protect Against Cloud Account Takeovers

Prevent your user accounts from becoming compromised and used to launch additional attacks.


of account takeover victims are in the United States

Source: Javelin Strategy & Research, 2020


increase in week-over-week account takeover attempts

Source: Abnormal Security, Q3 2021


of companies are targeted by account takeovers each week

Source: Abnormal Security, Q3 2021

Recognizing Cloud Account Takeovers

Account takeovers occur when attackers secure credentials to email accounts within an organization. They can do this through credential phishing campaigns, brute force attacks, or by purchasing passwords online. Once they have access to the account, they can pose as that person to launch additional attacks, or access other systems, including financial portals or cloud-based storage. In these attacks, the threat actor:


Creates a phishing campaign to secure credentials or buys them online


Uses the credentials to access a cloud email account


Lurks inside the account to understand important conversations


Launches other attacks, posing as the original victim

05 PBEC 01 email Phishing BEC Email analysis 2x

Detecting an Account Takeover Attack

This email passed the secure email gateway because it comes from an actual account. Despite having multiple links and attachments, the email account is a real user, taking part in an ongoing conversation.

However, there is suspicious activity behind the scenes:

  • The email BCC’ed a variety of people, none of whom work at the company

  • A mail rule was created to move messages from internal senders to the Junk folder

  • The account was logged into from San Francisco three hours ago, and again from Hong Kong twenty minutes ago

Based on this unusual activity, it’s clear that this account is compromised and now being used to send additional attacks

Stop, Investigate, and Respond to Cloud Account Takeovers with Confidence

Account takeover 01 2x

Correlate Thousands of Abnormal Signals

This email about a new vendor was sent from Pam to Oscar, but the email originated from Nigeria — thousands of miles from the Scranton office.

Pam has never before traveled to Nigeria and the account is being simultaneously accessed from Pennsylvania. These signals indicate that Pam’s email account is being controlled from two locations.

By understanding and baselining normal login frequency, locations, devices, browsers IP addresses, and more, Abnormal can determine when accounts have been accessed by the end user, and when they’ve been accessed by a malicious actor.

Account Take Over 04 2x

Understand Mail Filter Rule Changes and Unusual Email Recipients

Prior to sending the email, Pam set new mail filter rules to move emails from Oscar to Junk, and forward them to an external address.

This is very uncommon behavior for Pam, who has never before used a mail filter rule. These rules are also common in cases of account takeovers, where threat actors wish to view all incoming mail, without needing to constantly access the account.

Abnormal notices the mail filter rule changes and determines that it is inconsistent with Pam’s usual patterns. We also recognize that the external email address is from Nigeria — the same location as the other login.

Account takeover 02 2x

Detect Suspicious Correspondence Patterns in East-West Traffic

This message from Pam asks Angela to pay an invoice from a new vendor, but Pam has never emailed Angela before. She always emails Oscar when new invoices arrive.

The threat actor may understand that Angela is an accountant and realize that she’s the best person to email about a fake invoice. However, he hasn’t realized that Pam never works with Angela.

Abnormal understands behavior and relationships and realizes that Pam always emails Oscar with new vendor invoices. This abnormal interdepartmental correspondence, particularly relating to financial information, is a key indicator that the account is compromised.

Account takeover 03 2x

Instantly Detect and Remediate

Pam has yet to realize her account has been compromised and is being used to send additional invoice fraud and business email compromise attacks.

It’s uncommon for employees to realize their account has been compromised. In some cases, threat actors will wait for weeks or even months before they decide to use the account for additional attacks.

However, Abnormal recognizes these signals immediately and alerts Security Operations teams when an account has been compromised. Abnormal blocks account access, signs out the account from all active sessions, and triggers a password reset.

Account takeover 04 2x

Recognize ATO Signals from External Accounts

In this case, Pam was an internal employee who was compromised. However, compromised accounts of external vendors and partners can also be used to attack the Dunder Mifflin organization.

External account compromises are historically more difficult to detect, given that threat actors typically hijack existing conversations and send attacks to known partners.

The native Abnormal API integration to Office 365 automatically maps organizations and business processes in your supply chain for continuous behavior analysis. Using VendorBase, it enriches these insights using signals observed across the entire enterprise ecosystem.

By analyzing identities, content, and behavior, Abnormal precisely determines when an external account has been compromised to prevent socially engineered account compromise and fraud.

Trusted by Global Enterprises


See an Abnormal Product Demo

Related Resources

Data sheet 3
By understanding normal behavior, Abnormal can detect any deviations in these baselines to uncover potentially compromised accounts and then immediately remediate them. When left undetected, attackers can use compromised accounts to exfiltrate sensitive data or send lateral phishing emails.
Read More
Threat report 1
Cybercriminals upped their game over the last quarter—increasing the number of credential phishing attacks and account takeover attempts. In our quarterly threat report, Abnormal Security discovered significant increases in the number of brute force attacks and impersonation attempts.
Read More
Account takeover cover
Account takeovers are one of the biggest threats facing organizations of all sizes. They happen when cybercriminals gain legitimate login credentials and then use those credentials to send more attacks, acting like the person...
Read More
Webinar cover 1
Traditional cybersecurity infrastructure can’t stop new and emerging threats, particularly in the email channel, and cybercriminals are constantly changing their methods to stay one step ahead. Hear how Theresa Payton, first female White House CIO, thinks about these attacks.
Read More
Blog purple person
To detect account takeovers, Abnormal Security’s machine learning algorithms utilize many factors related to location, devices, and applications. However, until now, much of that information was not exposed to users. In an effort to be as customer-centric as possible...
Read More