How Account Takeovers Actually Happen and How to Stop Them

Introduction

Account takeovers are one of the most common and damaging attacks targeting organizations today. Most environments are not breached through exploits. They are accessed using valid credentials.

Many organizations assume they are protected because MFA is enabled. In reality, attackers bypass these controls every day using phishing, token theft, and MFA fatigue techniques.

This article breaks down how account takeovers actually happen, what attackers look for, and how to stop them before they escalate into a full breach.

Phishing (Initial Access)

Most attacks begin with a phishing email designed to look legitimate. These emails often impersonate Microsoft, internal IT teams, or trusted vendors. Users are directed to a fake login page and unknowingly submit their credentials, giving attackers initial access.

We have seen this firsthand with law firms and accounting firms in Connecticut. A single employee clicking a link led to a compromised mailbox, hidden inbox rules, and a fraudulent wire transfer within 24 hours.

MFA Fatigue and Push Spam

If MFA is enabled, attackers attempt to bypass it using push fatigue techniques. They send repeated MFA prompts, rely on user confusion or frustration, and wait for a single approval. Once approved, the attacker gains full access to the account.

Session Hijacking and Token Theft

In more advanced attacks, attackers steal session tokens. This allows them to access the account without re-authentication, bypass MFA entirely, and maintain access even after credentials are changed.

Establishing Persistence

After gaining access, attackers move quickly to maintain control:

• Creating inbox forwarding rules to intercept emails
• Adding new MFA methods to the account
• Registering new devices
• Granting application or delegated permissions

This ensures they retain access even if the initial compromise is discovered. In one case we handled, an attacker created 7 hidden inbox rules to suppress payment-related emails while they initiated a fraudulent wire transfer.

Signs You May Have Been Compromised

• Logins from unusual locations or IP addresses
• Multiple failed login attempts followed by success
• Unexpected or repeated MFA prompts
• New inbox rules or external forwarding
• Suspicious emails sent from internal users

How to Prevent Account Takeovers

Enforce Strong MFA. Use number matching or phishing-resistant MFA methods where possible.

Implement Conditional Access. Block high-risk locations, require compliant or trusted devices, and enforce risk-based authentication policies.

Monitor Sign-In Activity. Continuously monitor login behavior and investigate anomalies immediately.

Lock Down Email Rules. Prevent automatic forwarding to external domains and monitor for rule creation.

Limit Privileged Access. Reduce the number of global administrators and enforce least privilege.

Use Identity and Endpoint Protection. Deploy EDR and ITDR tools to detect suspicious activity across identities and endpoints.

What to Do If an Account Is Compromised

Immediate response is critical. Disable the account, revoke all active sessions, reset credentials, remove malicious inbox rules, review sign-in logs and activity, and re-secure MFA and authentication methods.

Delays in response allow attackers to expand access, exfiltrate data, and establish long-term persistence.

Final Thoughts

Account takeovers are not theoretical. They happen every day and often succeed due to small gaps in configuration, visibility, or response. The difference between a contained incident and a full breach comes down to speed of detection and response.