Protect Against Cloud Account Takeovers
Prevent your user accounts from becoming compromised and used to launch additional attacks.
of account takeover victims are in the United States
increase in week-over-week account takeover attempts
of companies are targeted by account takeovers each week
Recognizing Cloud Account Takeovers
Creates a phishing campaign to secure credentials or buys them online
Uses the credentials to access a cloud email account
Lurks inside the account to understand important conversations
Launches other attacks, posing as the original victim
Detecting an Account Takeover Attack
This email passed the secure email gateway because it comes from an actual account. Despite having multiple links and attachments, the email account is a real user, taking part in an ongoing conversation.
However, there is suspicious activity behind the scenes:
The email BCC’ed a variety of people, none of whom work at the company
A mail rule was created to move messages from internal senders to the Junk folder
The account was logged into from San Francisco three hours ago, and again from Hong Kong twenty minutes ago
Based on this unusual activity, it’s clear that this account is compromised and now being used to send additional attacks
Stop, Investigate, and Respond to Cloud Account Takeovers with Confidence
Correlate Thousands of Abnormal Signals
This email about a new vendor was sent from Pam to Oscar, but the email originated from Nigeria — thousands of miles from the Scranton office.
Pam has never before traveled to Nigeria and the account is being simultaneously accessed from Pennsylvania. These signals indicate that Pam’s email account is being controlled from two locations.
By understanding and baselining normal login frequency, locations, devices, browsers IP addresses, and more, Abnormal can determine when accounts have been accessed by the end user, and when they’ve been accessed by a malicious actor.
Understand Mail Filter Rule Changes and Unusual Email Recipients
Prior to sending the email, Pam set new mail filter rules to move emails from Oscar to Junk, and forward them to an external address.
This is very uncommon behavior for Pam, who has never before used a mail filter rule. These rules are also common in cases of account takeovers, where threat actors wish to view all incoming mail, without needing to constantly access the account.
Abnormal notices the mail filter rule changes and determines that it is inconsistent with Pam’s usual patterns. We also recognize that the external email address is from Nigeria — the same location as the other login.
Detect Suspicious Correspondence Patterns in East-West Traffic
This message from Pam asks Angela to pay an invoice from a new vendor, but Pam has never emailed Angela before. She always emails Oscar when new invoices arrive.
The threat actor may understand that Angela is an accountant and realize that she’s the best person to email about a fake invoice. However, he hasn’t realized that Pam never works with Angela.
Abnormal understands behavior and relationships and realizes that Pam always emails Oscar with new vendor invoices. This abnormal interdepartmental correspondence, particularly relating to financial information, is a key indicator that the account is compromised.
Instantly Detect and Remediate
Pam has yet to realize her account has been compromised and is being used to send additional invoice fraud and business email compromise attacks.
It’s uncommon for employees to realize their account has been compromised. In some cases, threat actors will wait for weeks or even months before they decide to use the account for additional attacks.
However, Abnormal recognizes these signals immediately and alerts Security Operations teams when an account has been compromised. Abnormal blocks account access, signs out the account from all active sessions, and triggers a password reset.
Recognize ATO Signals from External Accounts
In this case, Pam was an internal employee who was compromised. However, compromised accounts of external vendors and partners can also be used to attack the Dunder Mifflin organization.
External account compromises are historically more difficult to detect, given that threat actors typically hijack existing conversations and send attacks to known partners.
The native Abnormal API integration to Office 365 automatically maps organizations and business processes in your supply chain for continuous behavior analysis. Using VendorBase, it enriches these insights using signals observed across the entire enterprise ecosystem.
By analyzing identities, content, and behavior, Abnormal precisely determines when an external account has been compromised to prevent socially engineered account compromise and fraud.