Study Finds Account Takeover Incidents are Widespread

Account takeover incidents, where attackers steal employee credentials and use them to send e-mails from the user’s real account, are increasing in frequency and magnitude. In this report, we take a closer look at the motives and demographics behind these attacks.

Stressed out executive

PeopleImages / E+ / Getty Images

Highlighted Threat: Account Takeover

Account takeover (ATO) attacks have multiple objectives. Some attackers try to use the hacked e-mail account to launch phishing campaigns that will go undetected, some attackers steal credentials of other employees and sell them in the black market, and others use the account to conduct reconnaissance to launch personalized attacks. The most sophisticated attackers steal the credentials of a key employee (e.g., CEO or CFO), and use them to launch a Business E-mail Compromise attack from the real employee’s e-mail address.

To better understand the extent of account takeover, we ran a study on 50 randomly selected organizations. These organizations span different sectors, including private companies, public organizations, and educational institutions. These organizations reported account takeover incidents to us over a 3-month period, from the beginning of April until the end of June 2018. Note that this study may underestimate the number of real account takeover incidents, since some incidents may have taken place without the organization’s knowledge.

Month April 2018 May 2018 June 2018 Total
Number of organizations that experienced account takeover 8 7 4 19
Number of spam incidents 3 5 2 10
Number of phishing incidents 13 30 4 47
Number of attachment incidents 1 2 0 3
Total number of account takeover incidents 17 37 6 60


The above table includes a summary of the incidents reported by these organizations. An account takeover incident is defined as an employee’s e-mail being used by an attacker to e-mail other people, either internal employees or external parties.

Overall, in each month 4-8 organizations reported at least one account takeover incident, and the total number of incidents reported was 60. On average, when a company got compromised, the compromise resulted in at least 3 separate account takeover incidents, where either the same or different employees accounts were used for nefarious purposes.

We also analyzed the type of incidents. Out of the 60 incidents, 78% resulted in a phishing e-mail. In these phishing e-mails, the goal of the attacker was typically to infect additional internal and external accounts. The e-mail usually impersonates the employee and asks the recipient to click on a link. The attackers sometimes made the e-mail appear as if the employee is sending an invitation to a link from a popular web services, such as OneDrive or Docusign.

Another 17% of incidents were used as platforms for sending spam campaigns. The reason attackers love using compromised accounts as vehicles for launching spam is that the accounts often have very high reputations: they are coming from reputable domains, from the correct IP, and from real people that have a legitimate e-mail history. Therefore, they are much likely to get blocked by e-mail security systems that rely on domain, sender or IP reputation.

Finally, 5% of incidents involved in the attacker asking the recipient to download an attachment. These incidents all involved internal e-mail traffic. This attack is effective because most e-mail security systems do not scan internal traffic for threats. Therefore, attackers can send malware with relative ease internally, and the recipients will often open the attachments, which will cause their endpoints to get infected.We also analyzed the roles of the employees that got compromised. Over the 3 months, 50 different e-mail accounts got compromised (some accounts were compromised multiple times). We include the results below.

Number of employees compromised 60
Percentage that were executives 6%
Percentage that were in sensitive departments 22%


Only 6% of the compromised employees were executives. In fact, the vast majority were in either entry-level or mid-management roles. This demonstrates that account takeover is a widespread phenomenon and is not just targeting high level employees. In fact, often lower level employees are better targets, because they have less cyber security training. In addition, given the fact that many incidents are used to phish other employees or external parties, the attackers are looking for any way they can get into the network, even if it’s through a “lower-level” e-mail account. Once they are through, they can exploit the reputation of the company and its brand to their advantage.

22% of the incidents occurred to employees in sensitive departments. Sensitive departments include HR, IT, finance and legal. The aggregate number of employees in these departments within the organizations we study is much lower than 22%. Therefore, this shows that while these incidents are widespread, there are still specific departments that attackers have a strong preference to go after, because they are most lucrative targets for information and financial theft.

Asaf Cidon Headshot Asaf Cidon is vice president of content security services at Barracuda Networks. In this role, he is one of the leaders for Barracuda Sentinel, the company’s AI solution for real-time spear phishing and cyber fraud defense. Barracuda Sentinel utilizes artificial intelligence to learn the unique communications patterns inside customer organizations to identify anomalies and guard against these personalized attacks. Asaf was previously CEO and co-founder of Sookasa, a cloud storage security startup that was acquired by Barracuda. Prior to that, he completed his PhD at Stanford, where his research focused on cloud storage reliability and performance. He also worked at Google’s web search engineering team. Asaf holds a PhD and MS in Electrical Engineering from Stanford, and BSc in Computer Engineering from the Technion.