abnormal-security-account-takeoverlisted

# Abnormal Security Account Takeover Detection ## Overview Abnormal Security's Account Takeover Protection monitors sign-in activity and mailbox behavior to detect compromised internal accounts. By analyzing user behavior patterns, device fingerprints, sign-in locations, and mailbox rule changes, Abnormal identifies accounts that have been taken over by attackers. This skill covers ATO case management, investigation workflows, and remediation actions. ## Account Takeover Indicators | Indicator | Description | Risk Level | |-----------|-------------|------------| | **Impossible Travel** | Sign-ins from geographically distant locations in short time | High | | **Unusual Sign-in Location** | Sign-in from a country or region not seen before | Medium | | **New Device** | Sign-in from an unrecognized device or browser | Medium | | **Suspicious Mailbox Rules** | Auto-forward, delete, or move rules targeting sensitive emails | Critical | | **Bulk Email Sending** | Account sending mass emails to internal or external recipients | High | | **Password Change** | Unexpected password or MFA changes | High | | **Lateral Phishing** | Compromised account sending phishing to internal users | Critical | | **Data Exfiltration** | Large file downloads or email forwarding to external addresses | Critical | | **Token Theft** | Session token stolen and used from different location/device | High | ## ATO Case Field Reference ### Core Fields | Field | Type | Description | |-------|------|------