What is account takeover (ATO)?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Imagine someone at your company gets a phishing email, enters their password on a fake login page, and thinks nothing of it. A few hours later, an attacker is sitting inside their inbox. That's account takeover (ATO) in a nutshell: someone else has the keys to your account and is pretending to be you.
ATO usually starts with credential theft. The attacker gets hold of a username and password through phishing, a data breach, or credential stuffing (trying leaked passwords at scale until one works). Once they're in, the damage isn't just one account. It compounds fast.
Here's why email ATO is worse than most other account takeovers. Your inbox is the master key to everything else. An attacker who controls your email can:
- Request password resets for your bank, your company tools, your social accounts
- Send phishing emails from your real address, which your contacts will actually trust
- Read sensitive conversations and gather intelligence for a bigger attack
- Set up silent forwarding rules so they keep reading your mail even after you change your password
- Delete the evidence so you don't notice for days or weeks
That last one is sneaky. Forwarding rules that silently copy your email to an external address are one of the hardest signs to catch, because nothing looks broken from the outside. Your email still arrives. You still send. The attacker just gets a copy of everything.
From a deliverability perspective, ATO is a serious problem too. Phishing sent from a real, aged inbox looks completely legitimate to spam filters. The domain has a good reputation. The DKIM signature is valid. The IP belongs to Google Workspace or Microsoft 365. Nothing raises a flag until complaints start rolling in and your domain's reputation tanks.
Signs an account may have been compromised: unexpected password reset emails you didn't request, sent messages you don't recognize, logins from locations or devices that aren't yours, and forwarding rules you didn't create. If you see any of these, treat it as a live incident.
The best defenses are multi-factor authentication (MFA), strong unique passwords, and regular audits of your inbox rules and connected apps. MFA alone stops most ATO attempts cold, even when the password is already stolen.
But if you think your sending infrastructure has been affected, our SOS hotline is free and we'll help you figure out the blast radius.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.