In 2024, 99% of the customer tenants monitored by Proofpoint were targeted with at least one account takeover attempt, with 62% of those attempts proving successful. The company’s threat researchers emphasized that they have numerous direct integrations with major cloud services like Microsoft Entra ID, O365, Okta, and Google Workspace, overseeing tens of millions of user accounts. On average, organizations affected by ATOs had 12 compromised accounts last year, with some even experiencing dozens or hundreds of successful takeovers.
While attackers do not discriminate when choosing their targets, certain industries are more prone to successful ATO attempts. Sectors such as Education, Electronics, and Aerospace have been particularly vulnerable, whereas businesses in Financial and Legal Services have shown better resilience against such attacks. Surprisingly, companies in the Food & Beverage industry have also been able to fend off ATO attempts effectively.
Proofpoint also discovered that out of the roughly 63 million accounts monitored in the previous year, around 3 million were targeted for compromise, resulting in 17,000 successful breaches. Despite 65% of those compromised accounts having multi-factor authentication (MFA) enabled, the breakdown of MFA options used by these account holders was not disclosed. The researchers highlighted that utilizing FIDO security keys or passkeys as a secondary authentication factor is a more secure approach compared to receiving authentication codes via SMS, as it prevents phishers and info-stealer malware from harvesting authentication factors.
While MFA is a step in the right direction, it is not foolproof. As organizations increasingly adopt MFA, attackers have devised ways to circumvent this security measure. Without MFA, the number of successful account takeovers would likely be higher. Detecting and preventing ATOs is challenging, especially considering that most login attempts originate from countries like the United States, Germany, Russia, India, and the Netherlands, making geoblocking ineffective. Additionally, domain blocking is not a viable solution since ATO attempts often stem from the same service providers and hosting countries as legitimate organizations.
According to Proofpoint’s threat researchers, there is no single definitive indicator of account compromise, necessitating organizations to rely on pre- and post-access behavior monitoring, AI-based analysis, and a combination of proprietary and third-party threat intelligence. As the landscape of cyber threats continues to evolve, proactive measures and constant vigilance are essential in safeguarding against account takeovers and other malicious activities.