Account takeover (ATO) is one of the most prevalent attack types; Proofpoint says that in 2024, 99% of the customer tenants the company monitors were hit with at least one account takeover attempt, and 62% of the customers experienced at least one that was successful.
“We have thousands of direct integrations with key cloud services such as Microsoft Entra ID, O365, Okta and Google Workspace as well as tens-of-millions of monitored user accounts,” the company’s threat researchers explained. On average, affected organizations have had 12 accounts compromised by attackers last year, they added, and some organizations experienced dozens or hundreds of successful ATOs.
Source: Proofpoint
Attackers are not picky about their targets, but organizations in certain industries are more likely to suffer successful ATO attemps: Education, Electronics, and Aerospace.
Businesses in the Financial and Legal Services sector are, expectedly, better at figthing off these attempts, but apparently those in the Food & Beverage industry are, as well.
Account takeover prevention and detection
Proofpoint has also found that of the approximately 63 million accounts they monitored last year, some 3 million were targeted for account compromise and of those, 17,000 were successfully compromised.
Of those 17,000, 65% had multi-factor authentication (MFA) enabled, but the researchers did not share a breakdown of the MFA options used by those account holders.
FIDO security keys or as a second authentication factor is, for example, a much safer option than received an authentication code via SMS. And using passkeys prevents any authentication factor from being harvested by phishers’ or infostealer malware.
So, as Proofpoint says, “MFA is good, but not good enough.” And that was to be expected: as more organizations began pushing for MFA user, attackers have found ways around it. What’s certain is that without MFA, the number of successful account takeovers would be even higher.
Spotting and preventing account takeovers is difficult. Most attacks (login attempts) are coming from the United States, Germany, Russia, India and the Netherlands, so geoblocking is impossible. Likewise, domain blocking won’t work as – more often than not – takeover attempts come from the same service providers and hosting countries as legitimate organizations.
“The reality is that there is no single indicator of account compromise that is a sure tell,” the threat researchers noted. Organizations have to rely on pre- and post-access behavior monitoring, AI-based analysis, and proprietary and third-party threat intelligence.