Protecting Users From Email Account Takeovers

Account takeover (ATO) fraud is expected to cost businesses and consumers billions by 2025, with estimated global losses at $16.8 billion according to Security.org. Account Takeover (ATO) occurs when a nefarious actor exploits an employee’s compromised account, and uses the access to attempt additional attacks or gather sensitive data, or worse, gain financial benefit. ATO can have devastating consequences for individuals, organizations, and businesses alike, including loss of reputation, monetary loss, liability, and loss of trust.

Identifying users at high-risk for Account Takeover (ATO) is critical to preventing ATO incidents. A User Risk Score is a very useful measure of ATO, as it provides a multifaceted view of suspicious activity and transactions over time, and across vectors. Traditional security alerts are reactive and often limited in scope, focused on single events and not behavioral patterns or variables (like uncharacteristic login activity, anomalies during logins, repeated damaged behavior i.e email, and security policy violations) to see that potentially an account is compromised. Organizations should implement active systems to continually assess things such as impossible travel logins, unusual IP address changes, uncommon email forwarding rules, and high outgoing phishing attempts; to capture compromised accounts ahead of total compromised states when it is too late.

How Account Takeover (ATO) Works

Understanding the mechanics of how an Account Takeover (ATO) occurs is crucial for organizations aiming to defend against such attacks. An ATO attack typically follows these steps:

Account Takeover attacks are sophisticated and usually involve a series of well-planned steps that attackers execute to gain control of an email account:

1. Credential Theft – Hackers steal login credentials through phishing, brute-force attacks, credential stuffing, or malware.
2. Account Access – Once inside the account, they move discreetly, avoiding security alerts.
3. Lateral Movement – They monitor email activity, steal data, and use the account to launch internal phishing attacks.
4. Persistence & Damage – Attackers may set up forwarding rules, reset MFA, or impersonate the user to conduct fraud, wire transfers, or mostly commonly: business email compromise (BEC) scams.

How to Identify High-Risk Users

A User Risk Score is a powerful indicator of Account Takeover (ATO) because it consists of clear and concise, active indications of suspicious activity, by assessing historical data as opposed to current actions. In contrast to stagnant security alerts that address singular events, a risk score focuses on behavioral patterns, login anomalies, email usage, and violations of security policy to assess when an account could be compromised. Risk scores track user behavior for continuous monitoring (e.g., travelers logging into their work accounts from locations deemed impossible, or where a login IP address will cause the user to follow a shift pattern on their a new “work” home”). When the factors are considered together (e.g., unauthorized simultaneous logins from separate locations, rogue email forwarding rules that remove message footprints, creating outward phishing volumes on YYYY calendar date) the systems file flag compromised accounts before a nefarious actor fully capitalizes on the access.

These kinds of breaches can persist unnoticed for months, giving the hacker time to steal sensitive data, execute financial crimes, cause a number of issues by sending or accessing something you wouldn’t expect, and create breaches of all potential enterprise phishing emails if they accessed to other internal accounts. A hacker could successfully gain access to a company’s compromised internal email system in day in and day out and initiate reality looking credentials to employee specific interests creating expectations that encourages users to click the malicious links. But as long as the organization has a good solution that allows a user context lookup and remediate it to automate the bad actor from exploiting anything of significance; remove the bad actor before its too later. If organizations have good enterprise monitoring, then it should identify a trimmed unusual user behavior especially when they started out tracking the user profile’s that may be changing by unplanned increased amounts of email forwarding or unusual logins from subsequent locations/Ip addresses/etc and execute a quick response.

A User Risk Score is calculated based on multiple security factors, including:

1. Unusual Login Activity
   • Logins from new locations, IP addresses, or unrecognized devices raise the risk score.
2. Failed Login Attempts & Brute Force Detection
   • A surge in failed logins or password reset attempts suggests someone is trying to force their way in.
3. Email Forwarding & Inbox Rules
   • Attackers set up auto-forwarding rules to exfiltrate emails without detection. Any unusual rules created without user intervention increase the risk score.
4. Geographic & Behavioral Analysis
   • If a user logs in from two different locations within minutes (impossible travel scenario), their risk score increases.
5. High-Risk Email Sending Patterns
   • If a user starts sending large volumes of emails containing phishing links, malware, or unusual requests, their risk score spikes.

At Mesa, we provide a dynamic and automated and immediate action to take a security/audit on risky users that may have been masked by an external account takeover, or worse, a potential insider threat. Automated and remediate means that a good security should be able to wipe the user completely, lock the user account, or force a password reset before the breach become something worse than tracking an incident timeline. Utilize user behavior analytics in framework will yield better anomaly detection and allow a user and their context-understanding (allowing action plan contingent on dismiss or retain in time) to ever lessen the occurrence on damaging account takeover activities.

Get Started Today

Want to assure the employees in your organization are protected against account takeovers? Take us for a test drive for free at Mesa Security and start looking at the (normal) behavior context of all employees. As soon as we expose behaviors that suggest they might have the conditions of potential account takeovers (and manage how they subsequently act on it), we can add an extra layer of protection for organizations dealing with at least plateaus on account takeovers. For employee development, continuous and regular training and awareness programs will provide even better certainty that employees can assess security best practices and assure they are responsible and responding to full account security.