Stronger and smarter account takeover detection: Reduce risk and response time

Account takeover (ATO) attacks remain one of the most damaging and hard-to-detect threats. Once a malicious actor gains control of a legitimate user’s account, they can launch phishing campaigns, move laterally within an organization or exfiltrate sensitive data. All of this while appearing completely trustworthy to both the user and security systems.

That’s why, at Barracuda, we continue to invest in improving ATO detection and response, which enhances our ability to catch and stop these attacks faster and more accurately than ever before.

What is account takeover, and why does it matter?

ATO occurs when a threat actor gains unauthorized access to a user’s email account. These attacks often go undetected until serious damage has already been done. Once inside, attackers may:

• Impersonate employees to send phishing emails internally or to external contacts
• Create inbox rules to hide their activity and avoid detection
• Steal data or credentials of other users
• Manipulate financial transactions and hijack conversations

The impact can be severe: reputational damage, regulatory consequences, and financial loss. That’s why detecting and containing ATO early is critical.

How can ATO be detected?

Effective security solutions that detect ATO rely on a combination of behavioral and contextual signals. For example:

• Sign-in anomalies: Sudden logins from geographically distant locations (e.g., New York to Nigeria within minutes) are often signals of compromise. Our solution will flag these as ‘impossible travel.’
• Inbox rule monitoring: Attackers often create mailbox rules to auto-forward or delete messages. We track suspicious changes to mailbox rules that may indicate evasion tactics.
• Inbound and outbound email monitoring: Hackers gain access to email accounts through phishing attacks that are designed to steal login credentials. While a spike in outbound emails may suggest that a compromised account is being used to spread phishing or spam.

New enhancements to Barracuda ATO detection

• To stay ahead of evolving threats, we’ve continued to innovate and improve our ATO detection and response:
• Outbound email activity analysis: We now analyze outbound email patterns as a core ATO detection signal. If a compromised account starts sending large volumes of emails externally, especially phishing or spam emails, we flag the behavior in real time and notify administrators immediately. This helps us identify compromised accounts based not just on login activity, but also on what the attacker does after gaining access.
• Smarter impossible travel detection: Recent updates are more effective at accounting for VPNs and proxy usage, filtering out false positives and enhancing the accuracy of impossible travel alerts. By eliminating benign activity, we can focus detection on truly suspicious sign-in behavior. All impossible travel detections are performed in real time, with admins receiving immediate alerts for suspicious sign-in activity, thereby significantly reducing the response window. This upgrade directly responds to customer and partner feedback, significantly reducing the reporting time for sign-in-related ATO events.
• Expanded ATO protection for XDR: For even broader coverage, Account Takeover Protection can be integrated with XDR Cloud Security to detect and respond to threats across the entire Microsoft 365 ecosystem — Outlook, Teams, SharePoint and OneDrive — by locking attackers out of the account. This extended visibility enables us to identify indicators of compromise, such as brute-force attacks, malicious file uploads, mass file deletions and anomalous sign-in behavior across multiple apps. But it doesn’t stop at Microsoft: XDR also supports integrations with other critical cloud services like Google Workspace, Okta, Duo, AWS and Azure. When ATO is detected, XDR can automatically sign out and disable compromised accounts, trigger automated remediation, and even escalate to our SOC team for round-the-clock expert support, acting as an extension of your own security team.

The impact: Faster detection, fewer false positives

These improvements are already showing strong results:

• 21% increase in ATO detection rates
• 13% reduction in false positives

We’re now able to deliver more accurate results thanks to a broader set of real-time signals. This means better protection without overwhelming security teams with noise.

What’s next

Our goal is simple: to give organizations the speed, visibility and control they need to stop ATOs before they cause damage.

But don’t wait until it’s too late. If you’d like to see these and other capabilities of Barracuda Email Protection, start your trial today.