We have MFA and an IdP. Why do we still need ATO protection?

MFA stops credential stuffing; it does not stop session hijacking via AiTM proxies. Once the attacker has a valid session, your IdP cannot tell them apart from the user. Abnormal sits one layer down — at the behavior — and catches the deviation when the legitimate session is being used by the wrong person.

How does Abnormal detect a takeover without seeing the login?

Abnormal ingests authentication signals via API (M365, Google Workspace, Okta, Entra) plus mailbox behavior, mail rules, and cross-app activity. The signal is the deviation: unusual ASN, new device, atypical hours, sudden mail rules, first-time access to sensitive folders — scored together against the identity's behavioral baseline.

How fast does remediation happen?

Under six seconds from detection to containment. Abnormal disables the session, terminates auto-forward rules, removes phishing emails sent from the compromised account, and notifies the SOC — all autonomously. No analyst action required.

Does this cover SaaS account takeover, not just email?

Yes. Abnormal's SaaS Account Takeover Protection extends the same behavioral model to Slack, Zoom, and other cloud apps. A compromised M365 session pivoting into Slack is caught as cross-app lateral movement, not as two unrelated SSO events.

What's the false positive rate on account lockouts?

Near zero. Per-identity baselines distinguish travel and remote work from compromise — a frequent traveler logging in from a new country isn't anomalous for them. When false positives do occur, restoring access is a one-click action and the platform learns from the correction.

Prevent Account Takeover

The Attacker Is Logged in as Your Employee

Once attackers have valid credentials, every tool in your stack sees a legitimate user — Abnormal sees the behavior break that gives the attack away.

Request a Demo

Combined attacks prevented at ADT over 24 months

ADT customer story

<0s

Time to lock a compromised account once detected

Abnormal Platform

0%+

Reduction in account takeover attacks at TaylorMade

TaylorMade customer story

Take A Product Tour

The Challenge

Why Your Identity Stack Can't See an Active Takeover

Valid Credentials Defeat MFA

AiTM phishing kits proxy the entire login flow, including MFA — your IdP sees a successful authentication and stamps it valid.

Mail Rules and Forwarders Deploy in Silence

Attackers set up auto-forwarding rules within minutes of compromise to siphon mail without raising alerts.

Lateral Phishing from Inside the Org

Compromised accounts send phishing from the inside, where messages never cross the gateway and look perfectly normal.

SaaS Lateral Movement Happens in Minutes

Slack, Zoom, and SharePoint share SSO — one stolen session pivots across your entire SaaS estate.

Manual Remediation Arrives Hours After Exfil

By the time a SOC analyst correlates the login alert and disables the account, the data is already gone.

Real Incident

AnAnattackerattackerproxiedproxiedaarealrealloginloginthroughthroughEvilProxy,EvilProxy,capturedcapturedthetheMFAMFAsession,session,setsetupupananauto-forwardauto-forwardrule,rule,andandexfiltratedexfiltratedinvoiceinvoiceattachmentsattachments——everyeverycheckchecksaidsaidauthorized,authorized,behaviorbehaviorsaidsaidcompromised.compromised.

Based on a real customer incident

The Solution

Detecting Account Takeovers at the First Sign of Risk

Scores authentication, device, and location signals against each identity's baseline to catch valid credentials being misused — even after MFA.
Correlates mailbox rule changes, lateral phishing, and cross-app activity to surface a takeover the moment behavior deviates.
Terminates the hijacked session, reverses malicious mail rules, and removes phishing sent from the account in under six seconds — no analyst action.

Core Capabilities

Behavioral AI That Stops Account Takeovers

Detect the Behavior, Not the Login

Per-identity baselines score authentication, mailbox, and rule changes together — catching the deviation when valid credentials are misused.

Cross-App Behavioral Visibility

Slack, Zoom, and your SaaS estate share one behavioral model — lateral movement gets caught even when each pivot looks like a normal SSO flow.

Lock Attackers Out in Under 6 Seconds

Session terminated, mail rules reversed, phishing sent from the account auto-removed, SOC notified — all without analyst action.

View Platform Overview

Over 25% of the Fortune 500 Trust Abnormal AI to Make Automated, Critical Security Decisions

Customer Voice

Real Results from Security Teams

“Abnormal's automation gives our analysts time back to work on other projects, and the fact that it's API-based gives us flexibility to tie in other applications and their data.”

John Roeser

Senior Manager, Information Security, Domino's

“Our goals are to get away from being so reliant on human judgment and leverage AI to be proactive. Abnormal helps us with those goals.”

Corey Kaemming

Senior Director, Information Security, Valvoline

Abnormal powers over 4,500 customers, including over 25% of the Fortune 500.

Customer Stories

FAQ

Related Resources

Webinars

The Detection Gap: Why AI-Powered Attacks Are Winning Against Legacy Email Security

Watch this on-demand webinar to learn how AI-powered BEC attacks bypass secure email gateways, and how behavioral AI can detect what legacy tools miss.

White Papers

The Essential Guide to Human Risk Management

Learn why traditional security awareness training fails to reduce real-world risk and how modern human risk management helps organizations measure and reduce risky behavior over time.

Data Sheets

Displace Your Secure Email Gateway

Stop sophisticated email attacks that target your employees using native cloud-based email security plus Abnormal.

View All Resources

Lock Attackers Out Before They Move Laterally

Deploy in 60 seconds via API. No MX changes. Detect compromised accounts in seconds — auto-remediate in under six.

Request a Demo

Identity & AI Security

Platform

Product Resources

Support

Featured

Thought Leadership

Featured

Company

News & Events

Featured

The Attacker Is Logged in as Your Employee

Why Your Identity Stack Can't See an Active Takeover

Valid Credentials Defeat MFA

Mail Rules and Forwarders Deploy in Silence

Lateral Phishing from Inside the Org

SaaS Lateral Movement Happens in Minutes

Manual Remediation Arrives Hours After Exfil

Detecting Account Takeovers at the First Sign of Risk

Behavioral AI That Stops Account Takeovers

Over 25% of the Fortune 500 Trust Abnormal AI to Make Automated, Critical Security Decisions

Real Results from Security Teams

“Abnormal's automation gives our analysts time back to work on other projects, and the fact that it's API-based gives us flexibility to tie in other applications and their data.”

“Our goals are to get away from being so reliant on human judgment and leverage AI to be proactive. Abnormal helps us with those goals.”

FAQ

Related Resources

Lock Attackers Out Before They Move Laterally