Corporate Account Takeover Attacks: Detecting and Preventing it

Corporate account takeover (ATO) attacks let an outsider authenticate as a real employee, then move money, exfiltrate data, or pivot into deeper systems. The credential is legitimate. The session looks legitimate. That is what makes ATO so dangerous and so easy to miss.

I have spent more than a decade building customer identity infrastructure, and ATO is the single most expensive failure mode I see. A breach of one finance manager's email can cost more than every other security incident a company will suffer that year combined.

How corporate ATO usually starts

Most takeovers do not begin with a clever zero-day. They begin with a stolen password, a phishing kit, or a malware-infected laptop. The attacker tests the credential against email, then against the VPN, then against finance tooling. Once they find a working pair, they sit and watch.

The four most common vectors:

• Credential stuffing. Reused passwords from past breaches replayed against corporate logins.
• Phishing. Lookalike login pages that capture passwords and one-time codes in real time.
• Malware. Info-stealers that scrape browser-saved credentials and active session cookies.
• SIM swap. Carrier social engineering to receive SMS-based authentication codes.

Signals that an account has been taken over

You will rarely catch ATO at the login event itself. You catch it in the behaviour that follows. The signals that matter most:

• Login from a country, ASN, or device fingerprint the user has never used.
• Impossible travel between two sessions minutes apart.
• A new mail-forwarding rule or filter created right after sign-in.
• MFA method changed, recovery email changed, or a new authenticator enrolled.
• Sudden bulk download of customer records, source code, or financial files.
• Wire-transfer or vendor-bank-detail changes initiated from an unusual session.

Controls that actually reduce ATO

Layered defence beats any single control. The combination that works:

• Phishing-resistant MFA. Move high-value roles off SMS and onto passkeys or hardware keys. SMS still blocks bulk credential stuffing, but it falls to a determined phisher.
• Risk-based authentication. Score each sign-in on device, location, and behaviour. Step up to MFA only when risk is elevated, so users do not learn to ignore prompts.
• Breached-password detection. Reject any password that appears in a public breach corpus at the moment of login or rotation.
• Session binding. Tie session tokens to the device that minted them so a stolen cookie cannot be replayed from elsewhere.
• Out-of-band confirmation for high-risk actions. Wire transfers, bank-detail changes, and admin role changes deserve a second channel.
• Anomaly alerts for security-critical changes. MFA changes, recovery-email changes, and new OAuth grants should alert security and the user in real time.

What to do in the first hour after a suspected takeover

Speed matters more than elegance. The drill:

• Force-revoke every active session for the user across every app.
• Reset the password and require re-enrolment of MFA from a verified channel.
• Audit mail rules, recovery contacts, OAuth grants, and API tokens. Remove anything created during the window.
• Review every transaction or data export from the compromised session.
• Notify finance and any vendor whose payment details were touched.

The cultural piece

Tooling stops most attacks. People stop the rest. Train staff to slow down on payment changes, normalise reporting suspicious prompts, and make it socially safe to escalate a "this feels off" instinct. ATO thrives on urgency. Remove urgency and you remove most of the attacker's edge.

Treat corporate ATO as a continuous-monitoring problem, not a one-time hardening exercise. Identity is the perimeter now, and the only sustainable defence is a system that watches every session, not just every login.