Anatomy of an Attack

Account Takeover (ATO)-based email attacks are among the toughest to detect—and the most devastating. Nearly 44% of businesses have fallen victim to ATO-based phishing and business email compromise (BEC) scams, which are launched from hijacked email accounts of trusted individuals.

Account Takeover
Initial Compromise

Cybercriminals collect email account credentials or user client access via phishing attacks or purchase credentials via the dark web.

Phase 2
Establish Persistence

The attacker then logs into the compromised account, changes account passwords or sets up a mail forwarder to establish control.

Phase 3
Log In, Lay Low

The attacker lays low, monitoring account activity and waiting patiently to hijack important conversations.

Phase 4
Launch Attack

78% of ATO-based attacks are phishing scams aimed at harvesting more credentials, but may include business email compromise or ransomware attacks.

Phase 5
Reap Rewards

Depending on the con, credentials are captured, sensitive data is ransacked, and stolen funds are retrieved.

The Agari Advantage

Account Takeover Discovery

Detecting unauthorized users in legitimate email accounts or user clients is critical to defending against ATO-based attacks.


Agari understands the complex relationships behind the email message, identity characteristics, and expected behaviors between sender and recipient to accurately determine if a message from a previously-established email account should be trusted.

Account Takeover White Paper
Account Takeover Attacks
compromised email
Identity Deception Prevention

Convincing people into downloading malware or logging into a fake website is core to an ATO-based attack. Identity deception makes it difficult for the victim to know if the sender has malicious intent.


By understanding good email sending behaviors, Agari can spot anomalies and patterns that differ from the norm. Emails can be blocked based on the severity of divergence to ensure untrusted email never reaches the inbox.

Growing Smarter Every Day

It’s not enough to react and detect ATO-based attacks, but to prevent and deter them before they strike. Agari predicts attacks based on understanding the identity and relationships behind the message and on how closely a new message correlates or deviates from known good email communications.


Even though your business may not have seen a threat, Agari likely has. And because it’s at work already protecting organizations worldwide, it grows smarter and more effective each day.

data prediction

Featured Products

Protect against costly advanced email attacks
Agari Advanced Threat ProtectionTM

Stop sophisticated identity deception threats including business email compromise, executive spoofing, and account takeover-based attacks..

Learn more
Agari Incident ResponseTM

Accelerate phishing incident triage, forensics, remediation, and breach containment for the Security Operations Center (SOC)

Learn more


account takeover hoodie

Blog Post

Account Takeover-Based Email Attacks Increased by 126% in 2018

If the term “Account Takeover” (ATO) wasn’t part of your cybersecurity vocabulary before, it likely ...

account compromise


Account Takeover: The Evolution of Advanced Cyberattacks

Targeted email attacks continue to escalate as organizations deal with increasing numbers of phishing, ...

2 factor authentication

Blog Post

How SMS 2FA Might Leave You Vulnerable to Email Account Takeover

One of the biggest challenges for a security strategy is making it accessible and understandable for ...


Analyst Research

ISMG: Account Takeover-Based Email Attacks

Traditional methods of identity deception are being fought by legacy security companies, making it difficult ...

data breach


What is a Data Breach?

A data breach occurs anytime someone has unauthorized access to data. The overwhelming majority of breaches ...

Mail Letter

Would you like the confidence to trust your inbox?