Account takeover detection: How we defended against an insider threat | SOC Bytes

Introduction

Account takeover attacks represent one of the most dangerous and insidious threats facing organizations today. Unlike external attacks that trigger immediate alarms, compromised accounts operate with legitimate credentials, trusted relationships, and authorized access—making account takeover detection a critical but challenging component of modern security operations.

When attackers compromise an internal account, they don’t just gain access to one user’s data. They gain the ability to move laterally, impersonate trusted colleagues, and leverage organizational relationships to spread further compromise. As Zach Davis, Security Analyst at Expel, puts it: “It’s probably the scariest thing, because you’re taking a trusted individual and abusing that trust to move laterally.”

In this episode of “SOC Bytes,” Ben Baker sits down with Zach to walk through a real-world account takeover incident—from initial detection of suspicious internal phishing to containment of an active threat actor attempting to establish persistent access through remote monitoring tools.

This conversation provides actionable insights for security teams looking to improve their account takeover detection capabilities, understand the evolving tactics attackers use to abuse legitimate tools, and build more effective response protocols for compromised accounts.

Anatomy of an account takeover attack

Account takeover attacks often follow a predictable pattern, but the details matter. Understanding how these attacks unfold is essential for building effective detection and response capabilities.

The initial compromise: When trusted senders become threat actors

Zach Davis: We got an alert in “High” for suspicious internal sender. A good thing about Expel is my intro into cybersecurity was actually in the phishing service. I’ve seen thousands and thousands and thousands of phishing attempts.

As soon as I looked at it and I saw the subject line, I was like, “This is bad.” And I saw they were sending DocuSign, which is something that attackers like to use. It makes it hard for us, because once the victim clicks on the link, they can have it set up to where we can’t see what was behind it. That kind of covers their tracks.

But in this instance, the threat actor had sent another link, and it was actually to Limewire—if you remember that throwback.

Ben Baker: I remember Limewire. What a throwback.

Zach Davis: The Limewire link included a download of a file, something to the effect of “PDF converter,” which is a commonly used obfuscation technique to kind of hide what the actual thing is.

The critical discovery: From phishing to RMM tool deployment

One of the most dangerous aspects of modern account takeover attacks is the deployment of legitimate remote access tools that allow persistent access beyond the initial compromise.

Zach Davis: I was sitting there looking at it, and I knew it was bad, but I was like, “What actually is this?” The funny thing is, I had it in my sandbox, and I just happened to mouse over it and it showed up as the RMM tool name, and they never changed the name.

So I was like, “Oh, this is not just your normal malware. This is a threat actor attempting to get a foothold in the environment.”

This distinction is critical for account takeover detection. A simple phishing click might result in stolen credentials or limited data exposure. But when attackers use the compromised account to deploy Remote Monitoring and Management (RMM) tools, they’re establishing persistent access that can lead to domain controller compromise, data exfiltration, and ransomware deployment.

Account takeover detection through behavioral analysis

Effective account takeover detection requires looking beyond the content of suspicious messages to understand the behavioral patterns and technical indicators that reveal compromise.

Zach Davis: Right after I came to that conclusion, I was able to look at the user’s history through their O365 logs. The concern originally was: Is this actually coming from inside the house, or is someone pretending to be coming from the outside?

There’s tactical spoofing where they can kind of make it seem very believably that it is coming from a trusted sender. But since I was able to look at their activity, I saw the send. I saw them sending it. It was coming from an Amazon IP actually, which can be hard to detect, because Amazon IPs are everywhere.

But we knew that this wasn’t right, so as soon as we saw that, we jumped into action and got it contained.

This approach to account takeover detection combines multiple signals:

• Unusual sending patterns (internal sender flagged as suspicious)
• Anomalous content (DocuSign lures, download links)
• IP address analysis (Amazon IP when user typically logs in from corporate network)
• Temporal analysis (activity outside normal hours or patterns)
• Tool deployment (RMM tool installation from compromised account)

The evolution of remote access in account takeover attacks

Understanding how attackers abuse legitimate tools is essential for effective account takeover detection. The tactics continue to evolve as security teams adapt their defenses.

Why attackers prefer RMM tools over traditional RATs

Ben Baker: Can you explain how attackers use a legitimate RMM tool and why is that harder to detect than something like a RAT (Remote Access Trojan)?

Zach Davis: The thing that makes it harder—a lot of threat actors have been using screen connect or other remote access tools that just give you straight-up control of someone’s computer. We obviously know that they’ve been using these for a long time, so we’ve become privy to it. So they started to switch it up.

The thing about RMM tools, and what makes them tricky, is that customers are more likely to use an RMM tool than they are a screen connect or another remote access tool like that.

The account takeover detection challenge: Legitimate vs. malicious tools

Zach Davis: What makes it hard for us is sometimes we don’t always know what the customers are using. Of course, we can go and look for prevalence if we see this binary in their environment. But sometimes, if the left hand doesn’t know what the right hand is doing, it can cause some slowness here, because we don’t have that information of knowing exactly what they’re deploying, what they’re using all the time.

That makes it a little bit harder to detect and hurts the reaction time on our end.

This highlights a critical challenge in account takeover detection: distinguishing between authorized use of legitimate tools and unauthorized deployment by compromised accounts. The solution requires:

1. Asset inventory awareness – Knowing which RMM tools are authorized
2. Deployment baselines – Understanding normal installation patterns
3. Context enrichment – Correlating tool deployment with account compromise indicators
4. Customer communication – Maintaining updated information about environmental changes

Lateral movement: The ultimate account takeover risk

The true danger of account takeover isn’t the initial compromise—it’s what comes next. Lateral movement through organizational hierarchies can turn a single compromised account into an enterprise-wide incident.

How trust becomes a weapon in account takeover attacks

Ben Baker: What’s one thing you want security teams to know about defending against threats that come from inside the house?

Zach Davis: I think it’s probably the scariest thing, because you’re taking a trusted individual and abusing that trust to move laterally. Joe from accounting could go and message their boss, and maybe they eventually get their boss compromised, and then their boss starts sending out emails.

I’ve seen it happen before. I’ve seen bosses sending out emails to everyone. And what do you do when your boss tells you to do something? You typically do it and you don’t really question it.

That’s such a major thing to stop and get ahead of while it happens, and it can be really hard to detect if you’re not on top of it.

This scenario illustrates why account takeover detection must account for social dynamics and organizational hierarchies. A compromised executive account is exponentially more dangerous than a compromised individual contributor account because:

• Higher trust level – Recipients are more likely to comply with requests
• Broader access – Executive accounts often have elevated privileges
• Larger attack surface – More contacts means more potential victims
• Greater impact – Company-wide communications reach entire organizations

The account takeover detection to ransomware pipeline

Many organizations don’t realize that what starts as a phishing incident can rapidly escalate to ransomware when account takeover goes undetected.

Understanding the escalation path

Zach Davis: The other part circles back to earlier about the left hand and the right hand. If you’re a security team and you have a service like Expel, you really have to keep them up to date on what you’re doing in your environment in terms of these tools like RMM tools and screen connect—if it’s expected.

Because it could be the difference between “someone got phished, not a huge deal, we took care of it” to “someone got phished, they downloaded an RMM tool, there’s a threat actor in your environment, they just ransomed your DC, ransomed your data servers.”

That is the worst scenario, and that’s what they’re trying to do.

The progression typically looks like this:

1. Initial compromise – Phishing leads to account takeover
2. Tool deployment – RMM tool installed for persistent access
3. Lateral movement – Additional accounts compromised
4. Privilege escalation – Domain admin or similar credentials obtained
5. Ransomware deployment – Organization-wide encryption attack

Effective account takeover detection at stage 1 or 2 prevents the catastrophic outcomes at stage 5.

Building effective account takeover detection capabilities

Based on this real-world incident, security teams can implement several strategies to improve their account takeover detection and response capabilities.

1. Implement behavioral analysis for compromised accounts

Don’t rely solely on content analysis. Account takeover detection requires understanding normal user behavior and flagging deviations:

• Login locations and IP addresses
• Sending patterns and volumes
• Recipient relationships
• Activity timing
• Device fingerprints
• Application access patterns

2. Maintain environmental awareness

Zach Davis: Just be very transparent with your security teams to make sure that they know what’s going on so they can react fast.

For effective account takeover detection, security teams need to know:

• Which RMM tools are authorized
• Who has permission to deploy them
• Normal software installation patterns
• Organizational hierarchies and relationships
• Expected business processes that might look suspicious

3. Leverage O365 and email platform logs

Email and collaboration platform logs are gold mines for account takeover detection. Key indicators include:

• Unusual send locations (IPs, geolocations)
• Sending from unfamiliar clients or applications
• Changes to mail forwarding rules
• Inbox rule creation (to hide responses)
• Mass deletion of emails
• Unusual OAuth app permissions

4. Build phishing expertise into detection

Experience matters in account takeover detection. As Zach notes, having seen “thousands and thousands” of phishing attempts builds pattern recognition that automated systems alone can’t match.

Combine:

• Automated detection rules
• Human analyst expertise
• Threat intelligence feeds
• Sandboxing and file analysis
• Link analysis and URL inspection

5. Speed up response through preparation

Account takeover incidents require rapid response. Prepare by:

• Documenting RMM tool baselines
• Establishing communication channels with IT teams
• Creating runbooks for account compromise scenarios
• Testing account disable/quarantine procedures
• Training on lateral movement investigation

Key account takeover detection indicators

Security teams should monitor for these specific indicators that suggest account compromise:

Behavioral indicators

• Internal user sending mass phishing emails
• Account accessed from unusual locations
• Login attempts outside normal hours
• Rapid succession of failed then successful logins
• Unusual data access patterns

Technical indicators

• RMM tool deployment from user accounts
• Installation of remote access software
• Creation of new email forwarding rules
• OAuth app authorizations
• Credential dumping attempts
• PowerShell or scripting activity from compromised account

Content indicators

• DocuSign or other document signing lures
• File sharing service links (Limewire, Dropbox, OneDrive)
• “PDF converter” or similar utility downloads
• Urgency language in internal emails
• Requests for sensitive information from colleagues

Real-world account takeover detection in action

This incident demonstrates the value of layered account takeover detection:

1. Automated detection flagged suspicious internal sender
2. Analyst expertise recognized phishing patterns immediately
3. Sandbox analysis revealed RMM tool payload
4. Log investigation confirmed compromise via Amazon IP
5. Rapid containment prevented lateral movement and ransomware

The key is that no single signal was enough. Effective account takeover detection requires multiple layers working together with skilled analysts who can synthesize signals into actionable intelligence.

Key takeaways for account takeover detection

1. Account takeover is a gateway to ransomware: What starts as phishing can rapidly escalate when attackers deploy RMM tools for persistent access.
2. Behavioral analysis is essential: IP address anomalies, sending patterns, and temporal analysis often reveal compromised accounts faster than content analysis alone.
3. RMM tools are the new attack vector: Legitimate remote management tools are harder to detect than traditional malware, making environmental awareness critical.
4. Lateral movement multiplies impact: Compromised accounts enable trust-based attacks that move through organizational hierarchies.
5. Speed matters: The difference between contained phishing and ransomware is often measured in minutes—account takeover detection must enable rapid response.
6. Communication is critical: Security teams need visibility into authorized tools and environmental changes to distinguish legitimate activity from compromise.
7. Experience accelerates detection: Pattern recognition from seeing thousands of incidents helps analysts spot account takeover attempts faster.

The future of account takeover detection

As organizations increasingly rely on cloud services, remote work, and third-party integrations, the attack surface for account compromise continues to expand. Future account takeover detection capabilities will need to incorporate:

• Enhanced behavioral analytics using machine learning to establish user baselines
• Cross-platform correlation to track compromise across email, SaaS apps, and endpoints
• Real-time threat intelligence about emerging RMM tool abuse
• Automated response capabilities to quarantine compromised accounts instantly
• Identity-centric security that treats accounts as the new perimeter

Organizations that invest in robust account takeover detection capabilities today will be better positioned to prevent the ransomware attacks of tomorrow.

Frequently asked questions about account takeover detection

Q: What’s the difference between account takeover and credential theft?

A: Credential theft is when attackers steal usernames and passwords. Account takeover is when they actively use those stolen credentials to access accounts and conduct malicious activities. Account takeover detection focuses on identifying the active abuse phase, not just the initial theft.

Q: How quickly should we respond to suspected account takeover?

A: Immediately. Every minute a compromised account remains active allows attackers to move laterally, deploy tools, and escalate privileges. Best practice is to initiate containment procedures (account disable, session termination) within minutes of confirmed compromise.

Q: Should we block all RMM tools to prevent account takeover attacks?

A: Blocking all RMM tools isn’t practical for most organizations that use them legitimately. Instead, maintain an inventory of authorized RMM tools, monitor for unauthorized deployments, and ensure your security team knows which tools are expected in your environment.

Q: What’s the best way to detect account takeover via O365?

A: Leverage O365 unified audit logs to monitor for: unusual sign-in locations, impossible travel scenarios, mass email sending, inbox rule changes, and OAuth app grants. Combine these logs with UEBA (User and Entity Behavior Analytics) capabilities for behavioral baseline detection.

Q: How can we prevent lateral movement after account takeover?

A: Implement zero-trust principles, segment networks, require MFA for all internal applications, limit account privileges, monitor for unusual peer-to-peer communications, and deploy EDR solutions that can detect credential dumping and privilege escalation attempts.

Q: What makes “threats from inside the house” harder to detect than external attacks?

A: Internal account takeover attacks use legitimate credentials, trusted relationships, and authorized access paths—exactly what security tools are designed to allow. Detection requires behavioral analysis to identify what’s abnormal for specific users rather than what’s abnormal for the environment overall.

External resources for account takeover detection

• MITRE ATT&CK: Account Manipulation techniques and detection strategies
• CISA Guidance on Phishing and Account Compromise for incident response frameworks
• OWASP Automated Threats to Web Applications including credential stuffing and account takeover

This transcript has been edited for clarity and readability. The account takeover detection strategies and incident response approaches discussed are based on real-world security operations experience. Organizations should adapt these approaches to their individual environments, risk tolerance, and technical capabilities.

For more account takeover detection insights and security operations resources, visit expel.com/blog or follow our LinkedIn page for updates on security trends and best practices.