Anatomy of an Attack

Account Takeover (ATO)-based email attacks are among the toughest to detect—and the most devastating. Nearly 44% of businesses have fallen victim to ATO-based phishing and business email compromise (BEC) scams, which are launched from hijacked email accounts of trusted individuals.

Account Takeover
Initial Compromise

Cybercriminals collect email account credentials or user client access via phishing attacks or purchase credentials via the dark web.

Phase 2
Establish Persistence

The attacker then logs into the compromised account, changes account passwords or sets up a mail forwarder to establish control.

Phase 3
Log In, Lay Low

The attacker lays low, monitoring account activity and waiting patiently to hijack important conversations.

Phase 4
Launch Attack

78% of ATO-based attacks are phishing scams aimed at harvesting more credentials, but may include business email compromise or ransomware attacks.

Phase 5
Reap Rewards

Depending on the con, credentials are captured, sensitive data is ransacked, and stolen funds are retrieved.

The Agari Advantage

Account Takeover Discovery

Detecting unauthorized users in legitimate email accounts or user clients is critical to defending against ATO-based attacks.


Agari understands the complex relationships behind the email message, identity characteristics, and expected behaviors between sender and recipient to accurately determine if a message from a previously-established email account should be trusted.

Account Takeover White Paper
Account Takeover Attacks
compromised email
Identity Deception Prevention

Convincing people into downloading malware or logging into a fake website is core to an ATO-based attack. Identity deception makes it difficult for the victim to know if the sender has malicious intent.


By understanding good email sending behaviors, Agari can spot anomalies and patterns that differ from the norm. Emails can be blocked based on the severity of divergence to ensure untrusted email never reaches the inbox.

Growing Smarter Every Day

It’s not enough to react and detect ATO-based attacks, but to prevent and deter them before they strike. Agari predicts attacks based on understanding the identity and relationships behind the message and on how closely a new message correlates or deviates from known good email communications.


Even though your business may not have seen a threat, Agari likely has. And because it’s at work already protecting organizations worldwide, it grows smarter and more effective each day.

data prediction

Featured Products

Protect against costly advanced email attacks
Agari Advanced Threat ProtectionTM

Stop sophisticated identity deception threats including business email compromise, executive spoofing, and account takeover-based attacks..

Learn more
Agari Incident ResponseTM

Accelerate phishing incident triage, forensics, remediation, and breach containment for the Security Operations Center (SOC)

Learn more


account takeover hoodie
Blog Post
Account Takeover-Based Email Attacks Increased by 126% in 2018

If the term “Account Takeover” (ATO) wasn’...

Learn More
Account Takeover Evolution Of advance Cyber attacks 2
Account Takeover: The Evolution of Advanced Cyberattacks

Targeted email attacks continue to escalate as ...

Watch It Now
2 factor authentication
Blog Post
How SMS 2FA Might Leave You Vulnerable to Email Account Takeover

One of the biggest challenges for a ...

Learn More
Analyst Research
ISMG: Account Takeover-Based Email Attacks

Traditional methods of identity deception are being ...

Learn More
What is a Data Breach?

A data breach occurs anytime someone has ...

Watch It Now
Mail Letter

Would you like the confidence to trust your inbox?