What is Account Takeover? ATO Attacks Explained

Your SOC receives an alert: successful login to the CFO's Microsoft 365 account from the corporate IP range, during business hours, passing MFA. Everything looks normal. Except it's not the CFO. It's an attacker who obtained session tokens through an adversary-in-the-middle phishing kit. For the next three hours, they'll read emails, download attachments, and set up forwarding rules. Your logs will show nothing but authorized activity.

This is the reality of account takeover (ATO) attacks in 2026. What is account takeover? ATO attacks explained simply: unauthorized access to legitimate user accounts that bypasses traditional security controls and operates within the boundaries of normal, authorized activity. The attacker logged in. Everything after that was legitimate activity-at least, that's what your security tools believe.

The numbers tell a stark story. 83% of organizations experienced at least one ATO incident in the 2024, with some reporting incidents occurring weekly or more frequently. Account takeover fraud reached $15.6 billion in losses across the United States in 2024, affecting 29% of U.S. adults-approximately 77 million people. Perhaps most concerning: 26% of companies face ATO attempts every single week, demonstrating the persistent, industrial-scale nature of these attacks.

Key Takeaways

• Account takeover is unauthorized access to legitimate accounts that operates within normal authentication flows, making detection significantly harder than traditional intrusion attempts
• Eight primary attack methods enable ATO in SaaS environments: credential stuffing, phishing (traditional and OAuth), password spraying, SIM swapping, session hijacking, malware, social engineering, and third-party compromise
• Behavioral detection is essential because ATO uses valid credentials and authorized access-traditional security controls see legitimate activity while attackers exfiltrate data and move laterally
• SaaS environments amplify ATO impact through OAuth tokens, service accounts, and interconnected applications that enable one compromised account to access dozens of systems
• 65% of breached accounts already had MFA enabled, proving that basic defenses are insufficient against modern ATO techniques like adversary-in-the-middle phishing and token theft

What Is Account Takeover?

Account takeover (ATO) is when a threat actor gains unauthorized control of a legitimate user's account and uses that access for fraud, data theft, or further intrusion. Unlike traditional network breaches where attackers force their way in, ATO attackers walk through the front door using valid credentials, session tokens, or authorized OAuth applications.

The critical distinction: this isn't just "password stolen." Account takeover represents persistent access established and actively used to achieve attacker objectives. In SaaS environments, the compromised account becomes a launchpad for broader attacks across interconnected applications.

According to frontegg.com, attacks against basic web applications involved stolen credentials in approximately 88% of cases, highlighting how often login credentials serve as the primary entry point. The Verizon 2025 DBIR found that compromised credentials were an initial access vector in 22% of breaches reviewed.

Why SaaS ATO Is Different

Traditional account takeover targeted individual systems: one compromised banking account, one email inbox, one social media profile. SaaS account takeover operates at an entirely different scale:

• Single account accesses multiple applications through federated identity and OAuth connections
• OAuth tokens enable access without re-authentication, allowing attackers to bypass MFA after initial compromise
• Data spans corporate email, CRM, documents, financial systems-one account can touch millions of customer records
• No network segmentation limits blast radius; SaaS-to-SaaS connections ride trusted OAuth bridges across organizational boundaries

The Snowflake campaign of 2024 demonstrated this perfectly. Mandiant reported attackers used credentials stolen by infostealer malware to access Snowflake customer instances. Reported downstream victims included Ticketmaster and Santander, illustrating how compromised accounts in one environment cascade into customer data breaches affecting millions.

How ATO Works in SaaS Environments

Understanding what account takeover attacks look like in practice requires examining the complete attack chain-from initial credential acquisition through objective achievement and track covering.

The Attack Chain

1. Credential Acquisition
The attacker obtains working credentials through phishing, credential stuffing, malware, or third-party breach. Microsoft observed roughly 7,000 password attacks per second in 2024, more than double 2023 levels.

2. Account Access
Successful authentication occurs, often with legitimate MFA. The system believes this is the authorized user because all authentication requirements are satisfied. 65% of breached accounts already had MFA enabled, indicating attackers successfully bypass these controls.

3. Persistence Setup
The attacker establishes backdoors: OAuth apps authorized for ongoing access, email forwarding rules created to monitor communications, additional service accounts created with admin privileges. These persistence mechanisms operate independently of the original compromised credentials.

4. Lateral Movement
Access extends to connected applications through OAuth tokens and inherited permissions. One compromised Salesforce admin account can access integrated marketing automation, customer support platforms, and data warehouses-all without additional authentication.

5. Objective Achievement
Data exfiltration, financial fraud, or further compromise occurs. The attacker downloads sensitive documents, modifies payment details, or uses the compromised account to launch business email compromise attacks against partners.

6. Track Covering
Deletion of logs, modification of audit trails, removal of email rules after data has been forwarded. The attacker attempts to hide evidence of compromise, often successfully because SaaS audit logs have limited retention.

The Scale of Automated Attacks

Account takeover has become industrialized. 193+ billion credential-stuffing attempts were recorded in a single year, demonstrating the automated scale of credential abuse. Around 76% of leaked password logins succeed, with 48% of these driven by bots.

Sift.com reported that in the first quarter of 2023, ATO increased 427% compared to all of 2022. This exponential growth reflects both the availability of stolen credentials and the effectiveness of automated attack tools.

Eight Methods Attackers Use to Take Over Accounts

What is account takeover? ATO attacks explained through eight primary techniques that security teams must defend against:

1. Credential Stuffing

Credential stuffing involves automated testing of leaked username and password pairs against login forms. Billions of credentials are available from prior breaches, and attackers exploit widespread password reuse to gain access.

OWASP describes credential stuffing as automated injection of stolen username and password pairs into login forms to fraudulently gain access. The technique succeeds because 62% of Americans reuse passwords, and 52% of login attempts involve leaked credentials.

Real impact: The Snowflake campaign used stolen credentials against 165+ organizations, demonstrating how credential stuffing at scale can compromise entire customer bases.

2. Phishing (Traditional and OAuth)

Phishing has evolved beyond simple credential harvesting:

• Traditional phishing uses fake login pages to harvest credentials
• OAuth consent phishing tricks users into authorizing malicious applications that gain persistent access
• Adversary-in-the-middle (AiTM) phishing steals session tokens in real time, bypassing MFA entirely

Microsoft reported a 146% year-over-year increase in adversary-in-the-middle phishing in 2024. These attacks position themselves between the user and legitimate service, capturing authentication tokens as they're issued.

80% of phishing campaigns now specifically target cloud or SaaS access, resulting in approximately 3.4 billion phishing emails sent daily and 1.4 million phishing sites created monthly.

The Storm-1286 campaign demonstrated OAuth phishing for cryptocurrency mining, where attackers used consent phishing to authorize malicious apps that deployed mining software across victim environments. Learn more about OAuth token abuse and how these attacks establish persistent access.

3. Password Spraying

Password spraying tests common passwords (like "Password123!") against many accounts. Unlike brute force attacks that try many passwords against one account, password spraying tries one password per account, avoiding lockout mechanisms.

This technique is effective against organizations with weak password policies or where users select predictable passwords to meet complexity requirements.

4. SIM Swapping

SIM swapping attacks port a victim's phone number to an attacker-controlled SIM card, intercepting SMS-based MFA codes. SIM swap fraud jumped 1,055% in 2024, with almost 50% of all takeover cases involving mobile phone accounts.

This attack succeeds against SMS-based MFA but fails against phishing-resistant authentication methods like hardware tokens or passkeys.

5. Session Hijacking

Session hijacking steals authentication cookies or tokens from browsers, allowing attackers to use legitimate sessions without re-authenticating. Obsidian's research on pass-the-cookie attacks demonstrates how stolen session tokens bypass MFA entirely.

Techniques include malware infections, malicious browser extensions, or adversary-in-the-middle attacks that intercept tokens during transmission. Once stolen, these bearer tokens function like keys-whoever possesses them gains access.

6. Malware (Info Stealers)

Infostealer malware like Raccoon, Redline, and Vidar extract stored credentials, browser passwords, cookies, and session tokens. Corporate credentials are then sold on dark web marketplaces.

Nearly 2.5 million stolen accounts were listed for sale in early 2026, eliminating the need for attackers to conduct new hacking campaigns. They simply purchase access to already-compromised accounts.

The Snowflake breach began with infostealer malware that captured credentials from employee devices, which attackers then used to access customer Snowflake instances.

7. Social Engineering

Social engineering manipulates help desk staff or security teams into granting access:

• "I lost my phone and need my MFA reset"
• Executive impersonation requesting urgent access
• Fake IT support calls gathering credentials

Obsidian's analysis of help desk social engineering shows how attackers exploit weak verification procedures to reset MFA, change email addresses, or gain administrative access.

8. Third-Party Compromise

Your vendor gets breached. Attackers find OAuth tokens or service account credentials connecting to your environment. Account takeover occurs without ever targeting your users directly.

15% of all SaaS breaches originate from third-party or supply chain compromise, according to IBM's Cost of a Data Breach Report. The Salesloft-Drift incident showed how a single OAuth integration could extend into tools like Gainsight and multiple Salesforce instances, multiplying the number of affected accounts to more than 700 companies.

This is the hidden attack surface of SaaS supply chain security-the OAuth tokens and integrations that quietly extend trust across organizational boundaries.

Account Types Targeted in SaaS ATO

Not all accounts carry equal risk. Attackers prioritize targets based on access, authority, and detection likelihood.

Executive Accounts

Why targeted: Access to sensitive communications, authority to approve transactions, trusted sender status for business email compromise.

Executive account takeover enables attackers to read confidential strategy documents, access M&A communications, and launch highly convincing phishing attacks against partners using the executive's actual email account.

IT/Admin Accounts

Why targeted: Ability to create new accounts, modify permissions, access identity provider configurations.

Compromising an IT admin account in Okta or Azure AD grants access to virtually every connected application. Attackers can create persistent backdoor accounts, modify MFA policies, or extract credentials for service accounts.

Finance Accounts

Why targeted: Payment approval authority, vendor payment modification, invoice fraud opportunities.

Finance account takeover enables direct financial theft through modified payment details, fraudulent wire transfers, or invoice manipulation. The average loss per successful account takeover reaches $180 per person, with individual losses as high as $85,000.

Service Accounts

Why targeted: Never monitored for "unusual behavior," often over-privileged, persistent access without login alerts.

Service accounts and non-human identities operate continuously without human oversight. They're rarely reviewed for excessive permissions and almost never trigger behavioral alerts because they have no "normal" working hours or access patterns to baseline against.

Detection: Why ATO Is Hard to Catch

Traditional security controls fail against account takeover because the fundamental assumption-that authenticated access equals authorized access-breaks down.

The Legitimate Access Problem

The attacker uses real credentials. Activity looks like the authorized user. There are no failed logins to alert on, no brute force attempts to block, no malware signatures to detect.

99% of monitored organizations saw attackers attempt to access their accounts in 2024, with 62% experiencing at least one successful takeover. Yet most organizations only discover compromise when users report suspicious activity or when attackers make obvious mistakes.

The Behavioral Baseline Problem

What constitutes "normal" for this user? Their patterns change after business travel, after joining new projects, after role changes. Distinguishing legitimate business change from account compromise requires sophisticated behavioral modeling.

Static rules fail: "Alert on login from new country" triggers constantly for traveling executives. "Alert on unusual application access" floods SOC teams with false positives as business needs evolve.

The SaaS Visibility Problem

Activity occurs across multiple applications with different log formats, different retention policies, and different monitoring capabilities. Most organizations lack unified visibility into account behavior across their SaaS estate.

An attacker accessing Salesforce, then Slack, then Box, then AWS Console appears as four separate events in four separate systems. Without correlation, the pattern of lateral movement remains invisible.

Behavioral Detection for Account Takeover

The solution to what account takeover attacks exploit-legitimate credentials used maliciously-requires shifting from credential-based security to behavior-based security.

What Behavioral Baselines Reveal

Effective behavioral detection establishes normal patterns for every user:

• Typical working hours and patterns: When does this user normally access systems?
• Applications they normally access: Which SaaS apps are part of their regular workflow?
• Data volumes they typically touch: How many records do they usually download?
• Geographic and network patterns: Where do they normally work from?

These baselines enable detection of deviations that indicate compromise rather than legitimate business activity.

Anomalies That Indicate Takeover

High-confidence ATO signals include:

• Login from new geography, especially impossible travel (New York to Moscow in two hours)
• Access to applications the user has never used before
• Data access volume spiking dramatically (downloading 10,000 customer records when typical is 50)
• OAuth apps authorized outside normal patterns
• Email forwarding rules created sending mail to external addresses

Single signals might represent legitimate business changes. Combined signals indicate account takeover with high confidence.

The Time Advantage

Traditional detection relies on users reporting compromise: "I didn't send that email." This creates a window of hours to weeks where attackers operate undetected.

Behavioral detection alerts on the first anomalous action, compressing attacker dwell time from weeks to hours. The difference between detecting ATO after three weeks versus three hours is the difference between complete data exfiltration and early containment.

Correlation Across Applications

The real power of behavioral detection emerges through correlation. Anomalous login + new OAuth app authorization + external email forwarding rule = high-confidence account takeover signal.

Obsidian's Knowledge Graph enables this correlation by mapping relationships between users, applications, OAuth tokens, and data access patterns. When multiple anomalies cluster around a single account within a short timeframe, the system surfaces this as a likely compromise requiring immediate investigation.

Learn more about detecting session hijacking and the techniques attackers use to maintain persistent access.

Response: Containment Before Complete Compromise

Once account takeover is detected, rapid response prevents attackers from achieving their objectives:

Immediate containment actions:

1. Kill active sessions across all applications to terminate attacker access
2. Revoke OAuth tokens authorized by the compromised account
3. Disable email forwarding rules and review message filters
4. Review and remove unauthorized apps connected to user accounts
5. Reset credentials with verified identity confirmation (not via email to compromised account)
6. Audit data access during the compromise window to determine what was exposed

The goal: contain the breach before attackers complete data exfiltration, establish persistent backdoors, or pivot to additional accounts.

Organizations using behavioral detection for account takeover reduce median time to containment from 21 days to under 24 hours, limiting attacker access and reducing breach impact.

Conclusion

What is account takeover? ATO attacks explained: the unauthorized use of legitimate credentials to access accounts, establish persistence, and achieve attacker objectives while operating within the boundaries of authorized activity.

The statistics are clear: 83% of organizations experienced ATO in the past year, 26% face weekly attempts, and projected losses will reach $17 billion in 2025. Traditional security controls-including MFA-fail to prevent 65% of successful account takeovers.

The challenge is fundamental: when attackers use valid credentials and authorized access, traditional security tools see legitimate activity. Detection requires behavioral baselines that identify anomalies indicating compromise: impossible travel, unusual application access, abnormal data volumes, suspicious OAuth authorizations.

In SaaS environments, account takeover impact extends beyond the compromised account through OAuth tokens and service accounts that enable lateral movement across interconnected applications. One compromised account becomes access to dozens of systems, millions of records, and trusted connections into partner environments.

Next steps for security teams:

• Establish behavioral baselines for all users and service accounts
• Implement correlation across applications to detect multi-stage ATO
• Review OAuth tokens and integrations for overprivileged access and stale connections
• Deploy phishing-resistant MFA to eliminate SMS-based bypass techniques
• Monitor for persistence mechanisms like email forwarding rules and unauthorized OAuth apps
• Practice incident response for rapid containment when ATO is detected

The attacker logged in. Everything after that was legitimate activity-until behavioral detection revealed the truth.

Detect Account Takeover Before Attackers Achieve Their Objectives

Right now, a compromised account in your organization might be authorizing OAuth apps, creating email rules, and accessing sensitive data. Obsidian establishes behavioral baselines for every user, detects anomalies that indicate account takeover, and enables rapid response before attackers move laterally.

See how quickly you could detect ATO in your environment. Learn more about SaaS security and the behavioral detection capabilities that protect against account takeover, token theft, and lateral movement across your SaaS estate.