Stop account takeovers before damage is done

Darktrace stitches together subtle signs of a cloud or email account takeover, locks out the attacker, and makes sure they stay out

10,000
Clients de Darktrace
Account takeover trends

ATOs are getting stealthier and more costly

$4.81m
is the average cost of an attack using
compromised credentials
292 days
to identify and contain attacks using stolen or compromised credentials

Accelerate your investigations

10x

Get a single, comprehensive view of security incidents as they traverse email, cloud, and network environments, with Cyber AI Analyst escalating validated account takeover incidents with full context and recommended actions.

Scale security to cover all your account-focused use cases

Darktrace leverages additional signals from across the network for more accurate detection of threats, for an expanded range of use cases across your email and SaaS applications

Apps and collaboration tools

Darktrace integrates with Microsoft Office 365 and Google Workspace to continuously monitor and correlate login data, account activity, and email rules for detailed user context

Network and identity

Native integrations within Darktrace highlight lateral movement between these areas of your digital ecosystem, to help contextualize user activity and trace threats

Threat story: Account takeover

How AI-led security stops account hijack

This is the default text value

See how Darktrace responded to stop a M365 account takeover attempt targeting a company in the manufacturing industry.

Initial SaaS account compromise

A threat actor gained access to a manufacturing customer’s SaaS account using compromised credentials. As a result, legacy security solutions did not flag the login as malicious.

Darktrace recognized the login as rare for the account, flagged the absence of MFA, and identified the IP as suspicious, triggering an alert.

Establishing persistence: Hidden email rule

The attacker created an inconspicuous email rule (“….,,,”) to divert emails from a specific domain into ‘Conversation History,’ ensuring phishing attempts remained unseen. Security tools did not detect the subtle manipulation of email settings, as rule creation is common in SaaS platforms.

Darktrace identified the unusual rule, linking it to the suspicious login and a newly registered typosquat domain.

Phishing attempt

Shortly after gaining access, the attacker sent a phishing email from the same rare IP, likely to escalate privileges or compromise additional accounts. The email bypassed signature-based detection, as it did not contain known malware or flagged URLs.

Darktrace’s anomaly-based detection identified the sender’s unusual behavior, marking the email as suspicious.

SOC intervention

Without proactive monitoring, security teams would have noticed the attack only after damage was done.

Darktrace correlated the login, rule change, and phishing attempt in real time, enabling rapid human intervention before further escalation.

Customer story

Why DTC Communications went with Darktrace

For this leading telecom provider, Darktrace provides critical insights into potential breaches, especially identity-based attacks. Darktrace revealed a significant security incident that other tools missed.  

“We were able to quickly make informed containment decisions. Meanwhile, Darktrace was already taking proactive action, preventing further escalation as we investigated.”

Edward Massey, Head of Network Engineering

1,356
investigations automatically conducted by Darktrace’s Cyber AI Analyst in the first 3 months, escalating only 129 for human review
3,092
behaviors controlled by Darktrace’s autonomous
response in the first 3 months
$2,520
saved in analyst resources in first 13 days
Recommended resources

Insights, case studies, and strategies to protect your business

Attackers are avoiding traditional security measures leveraging AI-driven techniques to bypass conventional rules and signatures. Learn how Darktrace responds to threats infiltrating through the supply chain

White paper

Tackling the 11 Biggest Cloud Threats with AI-Powered Defense

Take a closer look at the the top 11 threats arising in modern cloud deployments, including account-based attacks.

Customer story

Customer Story: How Digimax augmented their small security team with Darktrace

See how this Italian consumer electronics firm brought email, network, and SaaS application security together for extended visibility with context.

Blog

Detecting and containing account takeover with Darktrace

Learn how Darktrace detects deviations in user behavior to autonomously stop account-based threats before they escalate.

See Darktrace in action

Protect your business from ransomware. 
See what Darktrace AI finds in your environment.

Account takeover

Frequently asked questions

What are different types of account takeover attacks?

Account takeover is used to describe any scenario in which a malicious actor gains unauthorized access to a user’s account. There are several ways an adversary can gain access to a legitimate user account:  

Credential stuffing: Attackers use stolen login credentials from previous breaches to access accounts where users have reused usernames and passwords.

Malware: Malicious software like keyloggers or spyware captures login details and enables silent account takeover attacks.

Phishing: Phishing attacks trick users into revealing credentials through fake login pages or deceptive emails posing as trusted sources.

Brute-force attacks: Attackers rapidly guess password combinations to break into accounts, often targeting weak or common passwords.

SIM swapping: Cybercriminals hijack a victim’s phone number to intercept 2FA codes and take control of protected accounts.

Exploiting vulnerabilities: Targeting outdated software or weak security practices, such as unsecured passwords.

Man-in-the-Middle (MitM) attacks: In MitM attacks, credentials are stolen by intercepting user traffic over insecure networks during login sessions.

Once an attacker gains access to a corporate account, they’ll generally aim to exploit it for strategic, financial, or operational advantage. Theiy will try and escalate privileges or pivot to other systems within the organization, and may exfiltrate sensitive data like intellectual property, customer information, financial records, or internal communications.  

If the account belongs to an employee with access to critical systems, attackers might deploy malware, ransomware, or create backdoors for persistent access. They can also impersonate the user to conduct business email compromise (BEC) scams, tricking colleagues or partners into transferring funds or revealing confidential information. In some cases, attackers monitor communications silently to gather intelligence or prepare for larger attacks.

Is multi-factor authentication (MFA) enough to stop account takeovers?

While MFA is a strong security measure, it’s not foolproof. Attackers are increasingly finding ways to bypass or exploit MFA, making it essential to have behavioral detection in place as well.

Even with robust security mechanisms like MFA there are advanced techniques attackers can use like AitM phishing kits that bypass MFA, see this blog for a full threat story on how this is done and stopped by Darktrace. Similarly, the misuse of legitimate services such as Milanote for malicious purposes can help attackers evade traditional email security solutions by blurring the distinction between legitimate and malicious content.

This is why security tools based on anomaly detection are crucial for defending against such attacks. However, user awareness is equally important. Delays in processing can impact the speed of response, making it essential for users to be informed about these threats.

Why are SaaS environments increasingly targeted by cyber attackers?

SaaS environments are attractive to cyber-criminals for a number of reasons.  

1. High Concentration of Data: SaaS platforms often store vast amounts of sensitive corporate data, including customer information, financial records, and intellectual property, making them attractive targets.

2. Widespread Adoption: As more organizations move to cloud-based services for scalability and convenience, the attack surface expands. This widespread use increases the chances of misconfigurations or weak security practices.

3. User-Centric Access: SaaS applications are typically accessed via the internet using credentials, making them vulnerable to account takeover attacks, phishing, and credential stuffing.

4. Third-Party Dependencies: SaaS environments often integrate with other tools and services, creating complex ecosystems where a vulnerability in one component can compromise the entire system.

5. Inconsistent Security Posture: Organizations may assume that security is fully handled by the SaaS provider, leading to gaps in user-side configurations, such as weak access controls or lack of multi-factor authentication (MFA).

 

How do attackers maintain persistence in a SaaS account takeover?

Threat actors often compromise multiple accounts within the same organization, using one account to launch attacks (e.g. phishing) while keeping another dormant to maintain access and evade detection.

What happens after a SaaS account is hijacked?

Once a SaaS account is compromised, attackers may:

• Alter email rules to hide their activities or misdirect communications.

• Access sensitive internal data or steal confidential information.

• Launch additional social engineering attacks to compromise more accounts or escalate privileges.

• Cause service disruptions or damage to the organization's reputation.

How can SaaS account hijacking be detected?

Detection relies on spotting unusual behaviors and login patterns that deviate from the norm:

• Unusual login locations: For example, logins from unexpected geographic locations or multiple locations simultaneously.

• Uncommon login devices or endpoints: Accessing the account from devices or network locations that are not typically used.

• Suspicious email activity: The creation of new email rules or suspicious outbound emails that were not initiated by the user.

Can Darktrace stop attackers once they have compromised an account?

Darktrace detects account takeovers with high confidence by stitching together unusual behavior that indicates a compromise, such as unusual login time and location, unusual inbox rule creation, and many more subtle signs of attack. It then takes autonomous action to lock the attacker out of the account and makes sure they stay out. Autonomous Response is highly configurable and can be set to human confirmation mode to avoid any unwanted responses.