Share This:

Account takeover (ATO) cyberattacks are a particularly pernicious and challenging threat to combat. They have only grown more complex as credential management becomes increasingly intricate across organizations. According to a recent Barracuda 2025 Email Threats Report, 20% of companies experience at least one ATO incident each month.

Once criminals can control an email, social media, cloud, or retail account, they can quickly move through organizations, steal data or launch phishing attacks using legitimate email addresses. These attacks can not only lead to lost data or money, but also deeply damage the reputation of account holders.

Criminals can gain unauthorized access to an account in several ways. Hackers might use credential stuffing or card cracking attacks, bot-fueled brute-force attacks, buy credentials on the dark web, or obtain passwords through data breaches. Phishing campaigns can also harvest passwords and credentials via social engineering, fake websites and malicious links.

Attackers also exploit a common problem: weak passwords. Users often reuse passwords, use older or simpler passwords or employ easy-to-guess combinations.

These attacks are also difficult to detect for several reasons. First, bank accounts are a big target of these attacks, and banks may not closely monitor account activity or send alerts. New technology is also helping. Attackers configure botnets and proxies to mimic real user behavior, and many bots successfully bypass CAPTCHA challenges. Over the past decade, a significant increase in e-commerce activity has made it easier for attackers to mask their attacks during high usage.

Protecting your clients from ATOs

Managed service providers (MSPs) can help customers protect their accounts, networks and reputations from these attacks. Still, it requires a holistic approach that combines training, best practices and advanced monitoring technology. Those include:

  • Employee training and education: MSPs can help clients conduct regular cybersecurity awareness training on best practices, how to recognize unusual activity within their email accounts, such as unexpected multifactor authentication (MFA) requests, and emerging threats. Regular threat updates keep employees informed about emerging cyber risks. Phishing simulations evaluate training effectiveness and highlight individuals who may need extra support.
  • Smart password requirements. MSPs should help clients establish rules for creating strong passwords and implement MFA and Zero Trust access for added protection.
  • Attack detection strategies: Businesses can limit the number of login attempts by locking accounts and using technology to track login attempts and locations. Web application firewalls help detect brute force and other types of cyberattacks. Systems can also be configured to block specific IP addresses linked to malicious activity.

ATO protection solutions that use behavior and contextual signals to detect attacks are also available and can monitor several common ATO symptoms, including:

  • Sign-in anomalies: Sudden logins from geographically distant locations often indicate a compromise or attack, and these logins can be flagged and investigated. These “impossible travel” events can take VPN and proxy usage into account to reduce false positives and focus efforts on potential attacks. Administrators can receive real-time alerts to accelerate response times.
  • Inbox rule monitoring: Attackers often create mailbox rules to auto-forward or delete messages. The ATO solution can detect and monitor suspicious changes to mailbox rules.
  • Inbound and outbound email monitoring: An ATO solution can detect spikes in outbound emails that could indicate an account is being used for phishing attacks. With real-time alerts, staff can quickly investigate a potential breach based on how the attacker uses the account after logging in.
  • In the case of the Barracuda ATO protection, the solution can be integrated with XDR to detect threats across all Microsoft 365 modules, thereby preventing attackers from accessing an account. The solution integrates seamlessly with platforms like Google Workspace, AWS, Azure, and others. The system automatically signs out or deactivates compromised accounts as soon as it detects an attack.

Adopt a platform approach: When strengthening your defenses against ATO attacks, using a platform strategy simplifies operations and improves response times. Here are three key best practices for MSPs to consider:

  • Choose solutions that offer immediate visibility into all customers and tenants. Unified visibility helps you quickly spot anomalies across your client base, making it easier to detect and respond to suspicious activity before it escalates.
  • Consolidate alerts from all accounts into a single actionable view. This is particularly useful for MSPs managing multiple tenants, as it centralizes incident response, minimizes alert fatigue, and promotes efficient threat investigation and management.
  • Automatically notify users of any account changes. Sending timely alerts—such as warnings about password updates or suspicious login attempts—empowers users to respond quickly to potential threats and minimize the damage from compromised credentials.

Empower your clients, protect their future

ATO attacks pose a relentless and evolving threat to businesses of all sizes. As an MSP, you’re on the front lines, uniquely positioned to shield your clients from financial losses, reputational damage and operational disruption. Implementing a holistic defense strategy that includes employee training, smart password policies, and advanced monitoring solutions is key to strong protection. This approach can significantly reduce both the risk and impact of ATO breaches

Don’t wait for your clients to become another statistic. Take proactive steps to equip them with the knowledge and technology needed to stay secure. Your expertise in stopping ATOs will protect their accounts from malicious access and data theft. It will also build trust in your services and position you as an essential cybersecurity partner.

This article was originally published at Managed Services Journal.

Photo: wutzkohphoto / Shutterstock


Share This:
Olesia Klevchuk

Posted by Olesia Klevchuk

Olesia Klevchuk is a Senior Product Marketing Manager for email security at Barracuda Networks. In her role, she focuses on defining how organizations can protect themselves against advanced email threats, spear phishing and account takeover. Prior to Barracuda, Olesia worked in email security, brand protection, and IT research.

All Posts

Leave a reply

Your email address will not be published. Required fields are marked *