Account Takeover Based Attacks More Than Double with 44% of Businesses Falling Victim

Agari Advanced Email Threat Modeling First to Detect Account Takeover Based Attacks

SAN MATEO, Calif.--()--Agari, a leading cybersecurity company, today announced the publication of “Protecting Against Account Takeover Based Email Attacks,” which observed account takeover-based email attacks more than double month-over-month. Attacks launched from compromised accounts evade traditional detection because they come from a previously-established credible sender. Agari Enterprise Protect is now the first solution to detect ATO-based attacks by enhancing the advanced threat modeling of Agari Identity IntelligenceTM (AI2).

“Based on a survey of 140 organizations with an average of over 16,821 email users, 44% of businesses were victims of an email attack using a compromised account in the past 12 months,” said Michael Osterman, President, Osterman Research. “Account takeover attacks should be considered a very serious risk because they target the highest levels of leadership, but are extremely difficult to detect.”

Recently, Osterman Research found that targeted email attacks launched via a compromised account were the most successful email attack vector in the past 12 months. ATO-based attacks evade traditional email security solutions, such as secure email gateways (SEGs), because they are sent from established email accounts – no domain name spoofing or display name deception is required. Previously, Agari research has demonstrated that SEGs are unable to detect business email compromise (BEC) because there is no malicious payload involved. Consequently, ATO-based BEC attacks present a very high risk to organizations because no security controls can detect them.

Key findings from “Protecting Against Account Takeover (ATO) Based Email Attacks” include:

  • Almost Half of Organizations Are Victims of ATO-based Attacks – Analysis of an Osterman Research Survey reveals 44 percent of organizations were victims of a successful ATO-based attack.
  • The Lifecycle of ATO-based Attacks – Agari delineates five steps to ATO-based attacks, including account access, control, reconnaissance, targeted attacks and data exfiltration or fraudulent financial payments.
  • One-in-ten ATO-based Attacks is Sent by a Trusted Party – Agari research has categorized ATO-based attacks from four types of senders: strangers, employee webmail accounts, trusted third parties and insider business accounts. While strangers accounts send 90 percent of ATO-based attacks, trusted third parties send nine percent of ATO-based attacks.

“Agari’s research demonstrates what CISOs have suspected for years: traditional email security solutions, such as secure email gateways, based on inspection and reputation are unable to detect advanced email attacks, such as account takeover,” said Ravi Khatod, CEO, Agari. “As criminals have refined their techniques, impersonating and targeting the highest levels of corporate leadership, organizations risk giving away the keys to the kingdom; only Agari can stop the rising tide of compromised accounts before they reach the CEO.”

Agari Delivers Industry-first ATO-based Attack Detection, Prevention and Forensics

Agari Enterprise Protect leverages Agari Identity IntelligenceTM (AI2), an advanced artificial intelligence and machine learning system that ingests data telemetry from more than two trillion emails per year to model email senders’ and recipients’ identity characteristics, behavioral norms, and personal, organizational, and industry-level relationships. Agari takes a unique approach of modeling the good -- which is what authentic, trustworthy communications look and act like -- using machine learning to identify attempts to trick people into trusting something they should not.

With this new release, Agari enhances Agari Identity IntelligenceTM (AI2) machine learning algorithms to model the behavior of compromised accounts used to launch targeted email attacks. When a message is received it is subjected to the following phases of analysis and scoring:

1. Identity Mapping – Determines the perceived identity of the sender, mapping the sender to a previously-established sender/organization or a broader classification.

2. Behavioral Analytics – Given the derived identity, the message is evaluated for anomalies relative to the expected sender behavior such as whether the sender has ever interacted with the recipient, whether the content or structure of the message sent by the sender is expected, or whether the frequency and timing of when the message sent is normal. Any anomalies are obviously perceived to be suspicious.

3. Trust Modeling – Determines if communication from the sender is expected by the recipient. The closer the relationship, the less tolerance for anomalous behavior because of the greater impact of the attack. Ultimately the system models interaction - how often the sender/recipient interact or if the responsiveness and timing of responsiveness between the two are normal.

4. Identity Intelligence Scoring – The Identity Intelligence Score of a message is a combination of the features and indicators of the three phases that determines whether the attack is indeed originating from a Account Takeover-based compromised account.

To support this modeling, Agari leverages a cloud-native architecture to drive over 300 million daily model updates, allowing the system to maintain a real-time understanding of this type of email behavioral pattern.

“Agari Identity Intelligence is the core of the next generation of Advanced Threat Protection for email. It takes a new approach to detecting the modern, sophisticated, identity-based attack,” said Khatod. “Leveraging global telemetry sources, unique algorithms, and a real-time scoring pipeline, the system continuously models email sending and receiving behaviors across the Internet and detects the new attacks of today and the even more sophisticated ones we expect to see in the future.”

For additional information about Agari Enterprise Protect visit:

To download “Protecting Against Account Takeover (ATO) Based Email Attacks” visit:

About Agari

Agari, a leading cybersecurity company, is trusted by leading Fortune 1000 companies to protect their enterprise, partners and customers from advanced email phishing attacks. The Agari Email Trust Platform is the industry’s only solution that ‘understands’ the true sender of emails, leveraging the company’s proprietary, global email telemetry network and patent-pending, predictive Agari Identity IntelligenceTM (AI2)to identify and stop phishing attacks. The platform powers Agari Enterprise Protect, which help organizations protect themselves from advanced spear phishing attacks, and Agari Customer Protect, which protects consumers from email attacks that spoof enterprise brands. Agari, a recipient of the JPMorgan Chase Hall of Innovation Award and recognized as a Gartner Cool Vendor in Security, is backed by Alloy Ventures, Battery Ventures, First Round Capital, Greylock Partners, Norwest Venture Partners and Scale Venture Partners. Learn more at and follow us on Twitter @AgariInc.


Clinton Karr

Release Summary

Agari research reveals account takeover (ATO) based attacks have doubled since the start of 2018; nearly half of all companies were victims in 2017.


Clinton Karr