Abnormal Security Account Takeover Detection
Overview
Abnormal Security's Account Takeover Protection monitors sign-in activity and mailbox behavior to detect compromised internal accounts. By analyzing user behavior patterns, device fingerprints, sign-in locations, and mailbox rule changes, Abnormal identifies accounts that have been taken over by attackers. This skill covers ATO case management, investigation workflows, and remediation actions.
Account Takeover Indicators
| Indicator | Description | Risk Level |
|---|
| Impossible Travel | Sign-ins from geographically distant locations in short time | High |
| Unusual Sign-in Location | Sign-in from a country or region not seen before | Medium |
| New Device | Sign-in from an unrecognized device or browser | Medium |
| Suspicious Mailbox Rules | Auto-forward, delete, or move rules targeting sensitive emails | Critical |
| Bulk Email Sending | Account sending mass emails to internal or external recipients | High |
| Password Change | Unexpected password or MFA changes | High |
| Lateral Phishing | Compromised account sending phishing to internal users | Critical |
| Data Exfiltration | Large file downloads or email forwarding to external addresses | Critical |
| Token Theft | Session token stolen and used from different location/device | High |
ATO Case Field Reference
Core Fields
| Field | Type | Description |
|---|
caseId | string | Unique account takeover case ID |
affectedUser | string | Email address of the compromised account |
severity | string | Critical, High, Medium, Low |
detectedAt | datetime | When the takeover was first detected |
status | string | Open, Investigating, Remediated, Closed |
Sign-in Activity Fields
| Field | Type | Description |
|---|
signInEvents | object[] | List of suspicious sign-in events |
signInEvents[].timestamp | datetime | When the sign-in occurred |
signInEvents[].ipAddress | string | IP address of the sign-in |
signInEvents[].location | string | Geographic location (city, country) |
signInEvents[].device | string | Device or browser fingerprint |
signInEvents[].status | string | Success, Failed, MFA Challenged |
signInEvents[].riskLevel | string | Risk assessment of the sign-in |
Mailbox Activity Fields
| Field | Type | Description |
|---|
mailboxRules | object[] | Suspicious mailbox rules created |
mailboxRules[].type | string | Forward, Delete, Move |
mailboxRules[].target | string | External email or folder target |
mailboxRules[].createdAt | datetime | When the rule was created |
emailsSent | int | Number of emails sent during compromise |
emailsForwarded | int | Number of emails auto-forwarded |
MCP Tools
| Tool | Description | Key Parameters |
|---|
abnormal_ato_cases_list | List account takeover cases | pageSize, pageNumber, filter, fromDate, toDate |
abnormal_ato_cases_get | Get ATO case details | caseId |
abnormal_ato_activity | Get sign-in and mailbox activity for a user | email, fromDate, toDate |
abnormal_ato_remediate | Take remediation action on an ATO case | caseId, action |
Tool Usage Examples
List open ATO cases:
{
"tool": "abnormal_ato_cases_list",
"parameters": {
"filter": "status eq 'Open'",
"pageSize": 25
}
}
Get ATO case details:
{
"tool": "abnormal_ato_cases_get",
"parameters": {
"caseId": "ato-abc123"
}
}
Get sign-in activity for a user:
{
"tool": "abnormal_ato_activity",
"parameters": {
"email": "user@company.com",
"fromDate": "2026-03-20T00:00:00Z",
"toDate": "2026-03-27T00:00:00Z"
}
}
ATO Investigation Workflows
Standard ATO Investigation
- Review case details:
- What indicators triggered the detection?
- Which user is affected?
- When was the compromise detected?
- Analyze sign-in activity:
- Check for impossible travel (locations too far apart in timeframe)
- Identify the attacker's IP address and location
- Check if MFA was bypassed or not enrolled
- Review mailbox changes:
- Check for auto-forwarding rules to external addresses
- Check for delete rules targeting security notifications
- Check for inbox rules hiding incoming emails
- Assess damage:
- How many emails were sent from the compromised account?
- Were any internal users phished (lateral movement)?
- Was sensitive data forwarded or downloaded?
- Remediate:
- Force password reset
- Revoke active sessions and tokens
- Remove malicious mailbox rules
- Re-enable MFA if it was disabled
- Post-incident:
- Notify affected users who received emails from the compromised account
- Check if credentials were used elsewhere
- Update security policies if gaps found
Impossible Travel Investigation
- Map sign-in locations - Plot the geographic locations and timestamps
- Calculate travel feasibility - Could the user physically travel between locations?
- Check VPN usage - Verify if the organization uses VPNs that could explain the location change
- Identify legitimate sign-in - Contact the user to confirm which sign-in was theirs
- Block attacker access - Revoke the session from the illegitimate location
Mailbox Rule Investigation
- List all mailbox rules - Get current rules for the affected account
- Identify suspicious rules:
- Forwarding to external addresses
- Deleting emails from security team or IT
- Moving emails to hidden folders
- Remove malicious rules - Delete any rules created during the compromise window
- Check forwarded data - Determine what emails were forwarded to the attacker
Remediation Actions
| Action | Description | When to Use |
|---|
FORCE_PASSWORD_RESET | Reset the user's password | Confirmed account compromise |
REVOKE_SESSIONS | Terminate all active sessions | Active compromise with attacker logged in |
DISABLE_ACCOUNT | Temporarily disable the account | Severe compromise with ongoing activity |
REMOVE_RULES | Remove suspicious mailbox rules | Malicious forwarding/delete rules found |
Severity Assessment
| Factor | Medium | High | Critical |
|---|
| Indicator Type | New device, unusual location | Impossible travel, password change | Lateral phishing, data exfiltration |
| User Role | Standard user | Manager, finance | Executive, admin |
| Activity | Suspicious sign-in only | Mailbox rules created | Emails sent to internal users |
| MFA Status | MFA active, blocked | MFA bypassed | MFA disabled by attacker |
| Data Access | No sensitive access | Read sensitive emails | Forwarded sensitive data |
Error Handling
Common API Errors
| Code | Message | Resolution |
|---|
| 400 | Invalid email format | Check email address format |
| 401 | Unauthorized | Check API token |
| 403 | Insufficient permissions | Token needs ATO scope |
| 404 | Case not found | Verify case ID |
| 429 | Rate limited | Wait and retry |
Best Practices
- Respond to ATO cases immediately - Account takeovers are time-sensitive
- Always revoke sessions first - Stop active attacker access before investigating
- Check mailbox rules early - Forwarding rules can silently exfiltrate data
- Verify with the user - Confirm which sign-ins were legitimate
- Check for lateral movement - Compromised accounts often target internal users
- Enforce MFA - Accounts without MFA are prime takeover targets
- Monitor post-remediation - Attackers may attempt to re-compromise the account
- Correlate with vendor risk - Account takeover may originate from a compromised vendo
