It seems like your browser didn't download the required fonts. Please revise your security settings and try again.

Login Sign Up Contact & Support

United States – English (GMT-5)

Email Protection

Total Email Protection

Email Gateway Defense (Email Security)

Impersonation Protection (Sentinel)

Cloud Archiving Service

Security Awareness Training (PhishLine)

Email Security Gateway

Domain Fraud Protection

Incident Response

Message Archiver

WAF-as-a-Service

Web Application Firewall

Cloud Security Guardian

Load Balancer ADC

Vulnerability Manager

Vulnerability Remediation Service

WAF Control Center

Active DDoS Prevention

CloudGen Firewall

CloudGen Access

Network Access Client

Firewall Insights

Web Security Gateway

Web Security Agent

Firewall Policy Manager

Cloud-to-Cloud Backup

RMM (Managed Workplace)

Managed Security Awareness Training (Managed Phishline)

Intronis Backup (ECHOplatform)

MSP Knowledge Base

Site Security Scanner

MSP – Partner Enablement

Server Backup (Yosemite)

Campus Help Center / Reference

Onboarding Portal

Network Security

Support Services

Barracuda Impersonation Protection
formerly Sentinel

Overview Documentation Training Materials

Email Protection

Total Email Protection

Email Gateway Defense (Email Security)

Impersonation Protection (Sentinel)

Cloud Archiving Service

Security Awareness Training (PhishLine)

Email Security Gateway

Domain Fraud Protection

Incident Response

Message Archiver

WAF-as-a-Service

Web Application Firewall

Cloud Security Guardian

Load Balancer ADC

Vulnerability Manager

Vulnerability Remediation Service

WAF Control Center

Active DDoS Prevention

CloudGen Firewall

CloudGen Access

Network Access Client

Firewall Insights

Web Security Gateway

Web Security Agent

Firewall Policy Manager

Cloud-to-Cloud Backup

RMM (Managed Workplace)

Managed Security Awareness Training (Managed Phishline)

Intronis Backup (ECHOplatform)

MSP Knowledge Base

Site Security Scanner

MSP – Partner Enablement

Server Backup (Yosemite)

Campus Help Center / Reference

Onboarding Portal

Network Security

Support Services

Login Sign Up Contact & Support

United States – English (GMT-5)

Account Takeover Attacks and their Signals

Last updated on 2024-01-12 16:20:36

In Account Takeover (ATO) / Account Compromise attacks, the attacker uses compromised credentials to take over a targeted account, potentially:

signing into the account
sending emails from the account
altering inbox rules for the account
Inbox rules are only monitored for accounts with paid licenses. Free or student mailbox rules are not monitored.

The compromised credentials can come from password data breaches or from other phishing attacks.

This article provides a general sense of the signals used by Impersonation Protection to detect account takeover attacks. Note that it would be irresponsible to disclose the inner workings of Impersonation Protection.

Impersonation Protection also detects signals to protect you from targeted phishing attacks. See Targeted Attacks and their Signals for details.

Emails Sent

The attacker might send impersonated emails to:

- Compromise more credentials
- Distribute malware beyond the gateway
- Commit wire fraud and other social engineering attacks

For more information, see Account Takeover Alerts and Handling an Account Takeover.

Suspicious Sign Ins

The attacker might sign into an account to send emails, change policies, or perform other tasks while logged in as a valid user.

For more information, see Suspicious Sign Ins.

Inbox Rules

The attacker might change rules to cover their tracks, for example creating rules to route certain incoming emails to their own, separate account.

For more information, see Investigating Inbox Rules.