Account Takeover (ATO) attacks and how to prevent them

As more businesses move IT infrastructure to the cloud, the threat of employee account takeover becomes more of a concern. If you’ve migrated to SaaS applications like M365, Zoom, and Salesforce, they are going to be exposed to the public internet, and fall beyond the purview of traditional network security technologies like a firewall. The adoption of the cloud means that security professionals need to reconsider how users are authenticated; relying on identity controls alone is a surefire way to increase the risk of account takeover attacks.

March 11 2021 by

Robin Gray

Firstly, what is an Account Takeover attack?

An Account Takeover attack is where an unauthorized party seizes access and control over a user account. In the consumer world, this can be an online bank account, Facebook account or even something like your League of Legends account. For employees, it relates to the accounts that employees use to do their jobs like M365, Zoom or Salesforce.

How the accounts are used after being hijacked is largely down to why the criminal has hacked into the account. They could use it to impersonate the real user by:

  • Sending out emails, IMs, or other forms of comms to mount further phishing attacks (e.g. BEC)
  • Change and/or escalate their privilege to navigate to another corporate service
  • Commit acts such as payment fraud
  • Extract data

Why are account takeover attacks a growing problem?

There are multiple factors in play that are contributing to the growth in account takeover attacks.

Increased attack surface

The modernization of business operations has increased the attack surface for many businesses. Okta’s Business at Work Report 2021 highlights the appetite for apps with the average number of deployed apps per customer being 88, an increase of 22% over the past four years. More apps mean there is more to secure. It has been easy for businesses to adopt cloud services while securing them has lagged behind.

Cloud security is something that companies of all sizes are struggling with, particularly in today’s remote working environment. 83% of enterprises have cited cloud security as one of their main challenges and 78% of respondents to a recent IDG survey lacked confidence in their organization’s security posture.

Not only are security professionals dealing with a sprawling infrastructure, but also a mass remote working environment which no one could have foreseen. With the majority now working from home, provisioning secure access to corporate services is critical. There is an increased need to authenticate users properly in this environment, making sure users are who they say they are before granting access. This is one of the primary reasons why the identity-centric approach to security of Zero Trust has gained momentum.

Constant Data Breaches

Every week, there seems to be another data breach, it is the knock-on effect of companies grappling with modern IT environments. By the time a company has disclosed a breach, your details are probably already being traded on the dark web. Just recently, 3.27 billion stolen account logins were posted to RaidForums in a COMB collection, selling for $2. Last year, 500,000 Zoom accounts were found for sale on the dark web, and another report revealed a hacker was selling login credentials for Microsoft accounts for top-level executives for hundreds of companies. Login credentials are easy to find if you know where to look.

Weak authentication

For a long time, we’ve known that password-based authentication just isn’t enough, regardless of whether you’re operating in the cloud or not. End users typically prioritize convenience over security, they simply don’t want to have to remember a 16 character-long alphanumeric password with symbols, it’s annoying, they’re going to forget and hit the password reset button every time. But it still happens, and cybercriminals are reliant on these poor password practices to hack into your account.

Countering weak passwords has been a headache for security professionals for decades; the adoption of Single-Sign-On (SSO) and password managers have enabled security administrators to enforce some level of password hygiene. However, this only works when applied to services that have been onboarded, not for the countless Shadow IT applications that business units have independently procured.

Sentry MBA, Vertex, and Snipr are all credential stuffing tools that can be downloaded and come with how-to cookbooks and configuration templates. Hacking and cracking communities are emerging online where knowledge and credential sharing take place. Last year, active hacking communities were reported on Discord and Telegram, and in one instance, 23,000 hacked databases were being shared on Telegram.

The combination of an increased and exposed attack surface, a steady stream of data breaches leading to wide-scale availability of login credentials and ineffective authentication mechanisms has enabled account takeover attacks to grow in prevalence.

Types of attack that lead to account takeover

Cybercriminals can use a range of techniques to perform an account takeover attack.


Phishing is one of the most prevalent threats on the internet and continues to grow in sophistication. People typically assume that phishing is reserved for email, but is much more expansive and pretty much includes any communication platform. In fact, 87% of successful mobile phishing attacks take place outside of email. Whether a phishing attack is used to deliver malware or direct a user to a fake login page, phishing is an effective way for criminals to procure legitimate login credentials.

Sim Swapping

Sim swapping, otherwise referred to as Sim Jacking, is when a criminal transfers a target’s phone number to their SIM card. A famous example is when Jack Dorsey’s Twitter account was subject to an account takeover attack and a string of ‘unusual’ tweets were sent from his account. With control of a target’s phone number, an attacker can successfully bypass Multi-Factor Authentication (MFA) and take over an account.

Brute-force attacks

Automated brute force attacks like credential stuffing and credential cracking are other types of attacks that can lead to account takeovers. The use of botnets or specific tooling like Sentry MBA can be used to check and identify legitimate user credentials and compromise accounts. The combination of poor password hygiene, lack of adoption of MFA and a steady stream of data breaches increases the risk of breach from brute force attacks.

Man-in-the-Middle attacks

A man-in-the-middle attack occurs when the communication between two systems is intercepted by a third party, aka a man-in-the-middle. This can happen in any form of online communication such as email, web browsing, social media.

A man-in-the-middle can listen in to your conversation or try to inject data to gain access to your browser or app that is trying to move data or even compromise the entire device. Once they gain access to the device, the damage they can do is endless; steal credentials, transfer data files, install malware, or even spy on the user.

Account Takeovers are not just about login credentials

Pretty much every application will have some form of vulnerability, but over the past year, there have been a number of vulnerabilities identified that could lead to account takeovers in various mainstream business services:

  • A security researcher discovered a rate-limiting vulnerability that would enable anyone to take over a Microsoft account without consent.
  • An HTTP Request Smuggling bug was found on Slack, which could lead to session and account takeovers.
  • RIPE NCC, the organization that manages and assigns IPv4 and IPv6 addresses for Europe, the Middle East, disclosed today a failed cyber-attack against its infrastructure. RIPE NCC’s single sign-on (SSO) service was affected by what appeared to be a deliberate ‘credential stuffing‘ attack, which caused some downtime. On the back of this, RIPE requested 20,000 organizations to enable MFA to prevent simple brute-force attacks like this.
  • Security researchers found a subdomain takeover vulnerability, combined with a malicious .GIF file, which could be used to “scrape a user’s data and ultimately take over an organization’s entire roster of Teams accounts.’

It’s clear that a defense-in-depth approach is needed to protect against account takeover attacks. Even with robust access controls in place, account takeovers can happen. Security professionals need to be aware of and monitor each phase in the attack chain.

How can you prevent account takeover attacks?

As with any layered security, you need to think what if an attacker:

  • Is able to find legitimate user credentials?
  • Is able to identify corporate applications?
  • Is able to bypass Multi-Factor Authentication?
  • Gets initial access and is able to execute an internal spear-phishing attack?

At each stage, you need to put security roadblocks in place as well as make sure that you are monitoring activity.

Password hygiene, SSO and MFA

Password hygiene seems like a simple one in theory but isn’t necessarily in practice. People will revert to what they know, so having a governing technology in place to prevent weak passwords and reuse will inevitably reduce the risk of password-based attacks.

Microsoft claims that MFA prevents 99.9% of password-related attacks, yet only 11% of cloud users have it. If an attacker has legitimate login credentials but not a second factor to verify authentication, it is going to be difficult for them to brute force the access token, particularly if time-based provisions are put in place. However, it is important to note that MFA can be bypassed. For example, the Solarwinds attack saw the use of the Golden SAML technique to bypass the need for MFA.

Block malicious traffic

Network and port scanning can be used to learn about a network’s structure and behavior. Although not inherently hostile, identifying traffic anomalies can help detect reconnaissance work. Attackers use port scanners to detect possible access points for infiltration and to identify what kinds of appliances you are running on the network, like firewalls, proxy servers, or VPN servers. It’s not just on-premises infrastructure that is vulnerable to discovery, it can also be applied to cloud-hosted services.

IP Lockdown can stop stolen login credentials from being used. By locking down IP addresses to only allow authorized devices to see and connect to applications, it ensures only secure and trusted devices are provisioned access.


As we move to identity-centric security, feeding contextual information into an access decision becomes more important. Access cannot be a binary assessment of whether someone can prove they are who they say they are, there are other factors that contribute to risk. For instance, just because someone is able to prove they are an authorized user, does it mean that their device is healthy? Maybe not. They could have a risky or malicious app installed, they may be working on a risky internet connection, they may be using an outdated OS with known vulnerabilities.

There are other factors beyond the device state that also need to be considered like whether the user is logging in from a ‘normal’ location. For instance, if a user usually logs in from New York and an access attempt occurs from Argentina, then you would want to have a mechanism in place for more stringent authentication. The application of conditional access enables administrators to build in these If This Then That policies to protect against account takeover attacks as well as other access-focused threats.

Privilege management

If an account takeover attack were to happen, you want to minimize the impact. An Account Takeover is not always the destination, an attacker may want to move laterally through your network to more lucrative targets. This is particularly problematic in the era of remote work where users are granted access to the corporate network or network segments using traditional VPN services.

One way of limiting the impact is by enforcing least privilege access, ensuring that users don’t have excessive permissions, just what they need to do their job in line with Zero Trust principles. Even for privileged accounts like super admins, making sure that there is a separation of duties so that attackers can’t get the keys to the kingdom and freely navigate.

Activity logging

Active session monitoring is an important part of preventing threats. Account takeovers aren’t always immediate, they can be slow burners and patiently navigate corporate systems, knowing what will raise red flags. As mentioned, logging activity like privilege escalation, disabling the security software, or access token manipulation to gain persistent account access. Even prior to when a session commences, understanding how many failed access attempts there were will give you some indication as to the risk.

The risk of Account Takeover attacks continues to grow as companies operate with a distributed infrastructure and workforce. Identity authentication alone is not enough to protect company assets from account takeover attacks, particularly due to the commoditization of login credentials and burgeoning online DIY communities. A defense-in-depth strategy is needed to tackle security threats, not just account takeover attacks.

Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.