Account takeover-based email attacks are on the increase because they are harder to detect than any other type of attack. Your organization’s existing controls may no longer be enough to guard against ATO-driven financial fraud, credential theft, and brand damage.

Download your copy of the white paper now to learn more about:

  • A typical account takeover-based email attack flow
  • Why ATO-based attacks are so effective at targeting your employees
  • How to prevent this type of email attacks—now and in the future

Executive Summary

The onslaught of targeted email attacks such as business email compromise, spear phishing, and ransomware continues uninterrupted, costing organizations of all types and sizes billions of dollars. Cybercriminals know that employees are the weak link in any organization and thus, they need only to convince these targets that they are someone who should be trusted in order to achieve success. In terms of methods used to deceive employees, email spoofing and display name deception have been the “go-to” techniques. However, security leaders charged with reducing this risk need to factor in yet another form of email-based identity deception tactic. According to recent Agari research, there has been a 126% increase of targeted email attacks that exploit account takeovers (ATOs) to con victims.

Prior to 2017, concerns over ATO-based email attacks were virtually non-existent. However, in early 2017, the Google Docs ATO Worm Attack brought a spotlight to the problem when it struck over a million users in only a few hours. Most recently, Agari has found that one in four advanced email attacks involve the use of a compromised account.

As these attacks continue to rise, organizations should be evaluating whether their existing email security controls can analyze, detect, and block ATO-based email attacks. This report discusses a typical ATO-based email attack flow, why they are so effective, and why organizations should be placing a high priority on stopping this type of attack. Finally, the paper will introduce Agari Phishing Defense™ and explain how its core Agari Identity Graph™ technology works to stop account takeover-based email attacks and protect organizations from the most dangerous type of threat.

Inside an Account Takeover
What a Typical ATO-Based Email Attack Looks Like

An account takeover-based email attack is the process of gaining unauthorized access to a trusted email account, and using this compromise to launch subsequent email attacks for financial gain or to execute a data breach. Since ATO-based attacks originate from email accounts of trusted senders, traditional security controls cannot detect such attacks. Moreover, given the pre-existing trust in relationships, launching a targeted attack such as a business email compromise scam from such an account increases the likelihood that the attack will succeed.

Account takeover-based email attacks rely on leveraging a compromised account or endpoint as a launchpad for other email attacks. To achieve this goal, cybercriminals follow the below process:

Step 1: Gain Account Access 

The attacker attempts to gain access to a user account by launching a spear phishing or malware-based email attack. Alternatively, with the proliferation of data breaches, they may simply purchase email account credentials from the dark web at a reasonable price.

Step 2: Establish Account Control 

The attacker establishes persistent control of the account without alerting the victim or any security personnel. For example, the attacker may implement the following:

  • Create audit rules to delete his own malicious email activity.
  • Set up forwarders to silently monitor user communication.
  • Augment password change processes to maintain password control.

The longer the attacker controls the account, the more information can be gathered, and higher degree of mission success.

Step 3: Conduct Internal Reconnaissance 

The attacker conducts internal reconnaissance to determine how the compromised account can be exploited. For example, the attacker may use a set of manual or automated scripts to determine the following:

  • Does the compromised account or user credentials give direct access to monetizable data, either locally or on other systems?
  • Can the victim’s contacts be exploited to achieve the final mission of financial fraud or data exfiltration?
  • Can the victim’s contacts be exploited to compromise other high-value accounts?

Additionally, the attacker may lay dormant, observing email communication between the original account owner and their contacts with plans to eventually hijack the conversation.

Step 4: Account Takeover-Based Attack 

If the attacker determines that assets can be retrieved directly from the account, he will immediately move to the next step. Otherwise, the attacker will launch a targeted email attack against the contact list of the controlled account. The type of targeted email attack will be dependent on the previous reconnaissance and could consist of a business email compromise scam to extract funds or a spear-phishing campaign to gain a deeper foothold into the organization.

Step 5: Complete Mission 

Depending on the targeted email attack, the attacker will move to exfiltrate the sensitive information or funds, or repeat this process if user accounts credentials were requested from higher-value targets.


Close button
Mail Letter

Would you like the confidence to trust your inbox?