‹  Back

June 18, 2024 · 3m read

Why Unsanctioned Apps Complicate ATO Attacks–And How to Protect Against Them

Nate Abbott 


Account takeover (ATO) attacks are notoriously difficult to detect. The presence of unsanctioned apps and services within an environment exacerbates the problem. Material’s unique approach to email and data security prevents and streamlines the response to these threats.

When an incident pops, every second counts. The math is simple: the longer it takes incident response teams to triage and investigate a live incident, the more damage an attacker can do. 

Account takeover attacks (ATO) are difficult to detect, particularly if the attackers are careful. With traditional email and DLP security tooling, ATO TTPs can be very difficult to distinguish from normal behavior. 

Adding fuel to the fire, depending on which stats you believe, anywhere between 45 and 80% of your employees are using unsanctioned apps in their day-to-day work. Even though the majority are used with good intentions, cloud apps or services your employees are using outside of the visibility of IT and security teams make entry and lateral movement easier for the attackers–while making detection and response harder for security and IR teams.

ATO is difficult to detect, and shadow IT makes it worse

Discovering and effectively assessing breaches is often the most difficult part of the incident response process. ATO attacks that originate with a compromised mailbox can be particularly tricky, as the attacks can be hard to distinguish from expected use. Particularly sophisticated attackers can be nearly impossible to detect–which is why when larger attacks make the news it often comes out that they’ve been inside accounts for months or longer.

Legacy SEG and DLP solutions may detect sensitive information in outgoing emails, but your authorized users will also be sending that information legitimately during the normal course of business. The alerts that pop up will only be distinguishable from normal behavior patterns if an attacker gets sloppy and sends unusually high volumes of data in short periods of time. And even then, your security teams may not notice those alerts within the thousands of others they’re getting from noisy DLP tools until it’s too late.

When unsanctioned apps enter the equation, your attack surface expands even as detection becomes even more difficult. Unmonitored apps introduce new vulnerabilities and potential entry points for attackers. Shadow IT by definition isn’t tracked by the security team, which means the logs these apps and services generate aren’t fed into your SIEM or SOAR platform. This forces IR teams to deal with significant gaps in the digital forensics they have to evaluate the attack vector that allowed the attacker inside, track how they moved within the environment, and evaluate the extent of the damage done.

After a breach is detected and investigated, the containment and isolation process can be complicated enough even when dealing with known, sanctioned systems and apps. But containment of a breach becomes significantly more complicated when you don’t know the full extent of the systems affected, how those systems are interconnected, and lacking telemetry from those systems–and that’s exactly the scenario facing IR teams when shadow IT is in play during an ATO scenario. 

Maintaining regulatory compliance during breach containment can be incredibly difficult when shadow IT is in play, as well. Unsanctioned apps will often fail regulatory requirements simply by nature of falling outside of an organization’s GRC program, let alone whether they meet compliance guidelines by themselves. This forces IR teams to take additional steps to ensure they’re not breaching regulatory requirements with their containment efforts.

Detect, Contain, and Protect ATO and Unsanctioned Apps with Material

Material is able to detect a wider range of potential ATO signals thanks to our API connection with your email system, combined with the advanced analysis and correlation our structured data platform makes possible. Our security toolkit is the only security toolkit designed to provide comprehensive email security, understanding email not only as an attack method (providing multi-layered protection against phishing attacks), but also as an attack vector (detecting and containing lateral movement and account takeovers) and an attack target itself (protecting the sensitive historical data within inboxes).  

Our approach to email and data security speeds detection of and response to potential breaches, providing additional signals and telemetry that traditional security tooling misses. Critically, we also provide a layer of prevention and posture hardening that significantly reduces the risk of compromise in the first place.

Taken together, these capabilities combine to provide robust preventative security against all of the ways your email system can be attacked, while simplifying response and remediation actions for ATO attacks and the complications that arise from unsanctioned and unmanaged apps and services. 

Ready to take control of your environment? Contact Material Security for a demo to shine a light on the shadows of your organization.