Account takeover is used to describe any scenario in which a malicious actor gains unauthorized access to a user’s account. There are several ways an adversary can gain access to a legitimate user account:

Credential stuffing: Attackers use stolen login credentials from previous breaches to access accounts where users have reused usernames and passwords.

Malware: Malicious software like keyloggers or spyware captures login details and enables silent account takeover attacks.

Phishing: Phishing attacks trick users into revealing credentials through fake login pages or deceptive emails posing as trusted sources.

Brute-force attacks: Attackers rapidly guess password combinations to break into accounts, often targeting weak or common passwords.

SIM swapping: Cybercriminals hijack a victim’s phone number to intercept 2FA codes and take control of protected accounts.

Exploiting vulnerabilities: Targeting outdated software or weak security practices, such as unsecured passwords.

Man-in-the-Middle (MitM) attacks: In MitM attacks, credentials are stolen by intercepting user traffic over insecure networks during login sessions.

Once an attacker gains access to a corporate account, they’ll generally aim to exploit it for strategic, financial, or operational advantage. Theiy will try and escalate privileges or pivot to other systems within the organization, and may exfiltrate sensitive data like intellectual property, customer information, financial records, or internal communications.

If the account belongs to an employee with access to critical systems, attackers might deploy malware, ransomware, or create backdoors for persistent access. They can also impersonate the user to conduct business email compromise (BEC) scams, tricking colleagues or partners into transferring funds or revealing confidential information. In some cases, attackers monitor communications silently to gather intelligence or prepare for larger attacks.

While MFA is a strong security measure, it’s not foolproof. Attackers are increasingly finding ways to bypass or exploit MFA, making it essential to have behavioral detection in place as well.

Even with robust security mechanisms like MFA there are advanced techniques attackers can use like AitM phishing kits that bypass MFA, see this blog for a full threat story on how this is done and stopped by Darktrace. Similarly, the misuse of legitimate services such as Milanote for malicious purposes can help attackers evade traditional email security solutions by blurring the distinction between legitimate and malicious content.

This is why security tools based on anomaly detection are crucial for defending against such attacks. However, user awareness is equally important. Delays in processing can impact the speed of response, making it essential for users to be informed about these threats.

SaaS environments are attractive to cyber-criminals for a number of reasons.

1. High Concentration of Data: SaaS platforms often store vast amounts of sensitive corporate data, including customer information, financial records, and intellectual property, making them attractive targets.

2. Widespread Adoption: As more organizations move to cloud-based services for scalability and convenience, the attack surface expands. This widespread use increases the chances of misconfigurations or weak security practices.

3. User-Centric Access: SaaS applications are typically accessed via the internet using credentials, making them vulnerable to account takeover attacks, phishing, and credential stuffing.

4. Third-Party Dependencies: SaaS environments often integrate with other tools and services, creating complex ecosystems where a vulnerability in one component can compromise the entire system.

5. Inconsistent Security Posture: Organizations may assume that security is fully handled by the SaaS provider, leading to gaps in user-side configurations, such as weak access controls or lack of multi-factor authentication (MFA).

Threat actors often compromise multiple accounts within the same organization, using one account to launch attacks (e.g. phishing) while keeping another dormant to maintain access and evade detection.

Once a SaaS account is compromised, attackers may:

• Alter email rules to hide their activities or misdirect communications.

• Access sensitive internal data or steal confidential information.

• Launch additional social engineering attacks to compromise more accounts or escalate privileges.

• Cause service disruptions or damage to the organization's reputation.

Detection relies on spotting unusual behaviors and login patterns that deviate from the norm:

• Unusual login locations: For example, logins from unexpected geographic locations or multiple locations simultaneously.

• Uncommon login devices or endpoints: Accessing the account from devices or network locations that are not typically used.

• Suspicious email activity: The creation of new email rules or suspicious outbound emails that were not initiated by the user.

Darktrace detects account takeovers with high confidence by stitching together unusual behavior that indicates a compromise, such as unusual login time and location, unusual inbox rule creation, and many more subtle signs of attack. It then takes autonomous action to lock the attacker out of the account and makes sure they stay out. Autonomous Response is highly configurable and can be set to human confirmation mode to avoid any unwanted responses.