Stop account takeovers before damage is done
Darktrace stitches together subtle signs of a cloud or email account takeover, locks out the attacker, and makes sure they stay out
ATOs are getting stealthier and more costly
Understanding people, rather than attacks
Darktrace’s AI learns each user’s behavior across channels to identify subtle anomalies and stop the earliest signs of account compromise with precise response actions.
Accelerate your investigations
10x
Get a single, comprehensive view of security incidents as they traverse email, cloud, and network environments, with Cyber AI Analyst escalating validated account takeover incidents with full context and recommended actions.
Scale security to cover all your account-focused use cases
Darktrace leverages additional signals from across the network for more accurate detection of threats, for an expanded range of use cases across your email and SaaS applications
Apps and collaboration tools
Darktrace integrates with Microsoft Office 365 and Google Workspace to continuously monitor and correlate login data, account activity, and email rules for detailed user context
Network and identity
Native integrations within Darktrace highlight lateral movement between these areas of your digital ecosystem, to help contextualize user activity and trace threats
How AI-led security stops account hijack
This is the default text value
Initial SaaS account compromise
A threat actor gained access to a manufacturing customer’s SaaS account using compromised credentials. As a result, legacy security solutions did not flag the login as malicious.
Darktrace recognized the login as rare for the account, flagged the absence of MFA, and identified the IP as suspicious, triggering an alert.
Establishing persistence: Hidden email rule
The attacker created an inconspicuous email rule (“….,,,”) to divert emails from a specific domain into ‘Conversation History,’ ensuring phishing attempts remained unseen. Security tools did not detect the subtle manipulation of email settings, as rule creation is common in SaaS platforms.
Darktrace identified the unusual rule, linking it to the suspicious login and a newly registered typosquat domain.
Phishing attempt
Shortly after gaining access, the attacker sent a phishing email from the same rare IP, likely to escalate privileges or compromise additional accounts. The email bypassed signature-based detection, as it did not contain known malware or flagged URLs.
Darktrace’s anomaly-based detection identified the sender’s unusual behavior, marking the email as suspicious.
SOC intervention
Without proactive monitoring, security teams would have noticed the attack only after damage was done.
Darktrace correlated the login, rule change, and phishing attempt in real time, enabling rapid human intervention before further escalation.
Why DTC Communications went with Darktrace
For this leading telecom provider, Darktrace provides critical insights into potential breaches, especially identity-based attacks. Darktrace revealed a significant security incident that other tools missed.
“We were able to quickly make informed containment decisions. Meanwhile, Darktrace was already taking proactive action, preventing further escalation as we investigated.”
—Edward Massey, Head of Network Engineering
investigations automatically conducted by Darktrace’s Cyber AI Analyst in the first 3 months, escalating only 129 for human review
behaviors controlled by Darktrace’s autonomous response in the first 3 months
saved in analyst resources in first 13 days
Insights, case studies, and strategies to protect your business
Attackers are avoiding traditional security measures leveraging AI-driven techniques to bypass conventional rules and signatures. Learn how Darktrace responds to threats infiltrating through the supply chain
Tackling the 11 Biggest Cloud Threats with AI-Powered Defense
Take a closer look at the the top 11 threats arising in modern cloud deployments, including account-based attacks.
Customer Story: How Digimax augmented their small security team with Darktrace
See how this Italian consumer electronics firm brought email, network, and SaaS application security together for extended visibility with context.
Detecting and containing account takeover with Darktrace
Learn how Darktrace detects deviations in user behavior to autonomously stop account-based threats before they escalate.
See Darktrace in action
Protect your business from ransomware. See what Darktrace AI finds in your environment.
Cyber resilience across the entire business
/NETWORK
/CLOUD
/OT
/IDENTITY
/ENDPOINT
Frequently asked questions
Account takeover is used to describe any scenario in which a malicious actor gains unauthorized access to a user’s account. There are several ways an adversary can gain access to a legitimate user account:
Credential stuffing: Attackers use stolen login credentials from previous breaches to access accounts where users have reused usernames and passwords.
Malware: Malicious software like keyloggers or spyware captures login details and enables silent account takeover attacks.
Phishing: Phishing attacks trick users into revealing credentials through fake login pages or deceptive emails posing as trusted sources.
Brute-force attacks: Attackers rapidly guess password combinations to break into accounts, often targeting weak or common passwords.
SIM swapping: Cybercriminals hijack a victim’s phone number to intercept 2FA codes and take control of protected accounts.
Exploiting vulnerabilities: Targeting outdated software or weak security practices, such as unsecured passwords.
Man-in-the-Middle (MitM) attacks: In MitM attacks, credentials are stolen by intercepting user traffic over insecure networks during login sessions.
Once an attacker gains access to a corporate account, they’ll generally aim to exploit it for strategic, financial, or operational advantage. Theiy will try and escalate privileges or pivot to other systems within the organization, and may exfiltrate sensitive data like intellectual property, customer information, financial records, or internal communications.
If the account belongs to an employee with access to critical systems, attackers might deploy malware, ransomware, or create backdoors for persistent access. They can also impersonate the user to conduct business email compromise (BEC) scams, tricking colleagues or partners into transferring funds or revealing confidential information. In some cases, attackers monitor communications silently to gather intelligence or prepare for larger attacks.
While MFA is a strong security measure, it’s not foolproof. Attackers are increasingly finding ways to bypass or exploit MFA, making it essential to have behavioral detection in place as well.
Even with robust security mechanisms like MFA there are advanced techniques attackers can use like AitM phishing kits that bypass MFA, see this blog for a full threat story on how this is done and stopped by Darktrace. Similarly, the misuse of legitimate services such as Milanote for malicious purposes can help attackers evade traditional email security solutions by blurring the distinction between legitimate and malicious content.
This is why security tools based on anomaly detection are crucial for defending against such attacks. However, user awareness is equally important. Delays in processing can impact the speed of response, making it essential for users to be informed about these threats.
SaaS environments are attractive to cyber-criminals for a number of reasons.
1. High Concentration of Data: SaaS platforms often store vast amounts of sensitive corporate data, including customer information, financial records, and intellectual property, making them attractive targets.
2. Widespread Adoption: As more organizations move to cloud-based services for scalability and convenience, the attack surface expands. This widespread use increases the chances of misconfigurations or weak security practices.
3. User-Centric Access: SaaS applications are typically accessed via the internet using credentials, making them vulnerable to account takeover attacks, phishing, and credential stuffing.
4. Third-Party Dependencies: SaaS environments often integrate with other tools and services, creating complex ecosystems where a vulnerability in one component can compromise the entire system.
5. Inconsistent Security Posture: Organizations may assume that security is fully handled by the SaaS provider, leading to gaps in user-side configurations, such as weak access controls or lack of multi-factor authentication (MFA).
Threat actors often compromise multiple accounts within the same organization, using one account to launch attacks (e.g. phishing) while keeping another dormant to maintain access and evade detection.
Once a SaaS account is compromised, attackers may:
• Alter email rules to hide their activities or misdirect communications.
• Access sensitive internal data or steal confidential information.
• Launch additional social engineering attacks to compromise more accounts or escalate privileges.
• Cause service disruptions or damage to the organization's reputation.
Detection relies on spotting unusual behaviors and login patterns that deviate from the norm:
• Unusual login locations: For example, logins from unexpected geographic locations or multiple locations simultaneously.
• Uncommon login devices or endpoints: Accessing the account from devices or network locations that are not typically used.
• Suspicious email activity: The creation of new email rules or suspicious outbound emails that were not initiated by the user.
Darktrace detects account takeovers with high confidence by stitching together unusual behavior that indicates a compromise, such as unusual login time and location, unusual inbox rule creation, and many more subtle signs of attack. It then takes autonomous action to lock the attacker out of the account and makes sure they stay out. Autonomous Response is highly configurable and can be set to human confirmation mode to avoid any unwanted responses.