Attackers have moved away from loud, brute-force tactics. Today’s campaigns are quiet, deliberate, and layered. An adversary may log in during normal working hours, use a VPN or proxy to disguise origin, or rely on forged credentials that pass standard checks. Each login on its own seems innocuous, but over time, patterns emerge.

Credential abuse remains central to these stealthy account takeover campaigns, appearing in nearly half of breaches in 2024. What’s changed is not the tactic but how quietly it’s being executed.

These campaigns succeed because they combine multiple subtle tricks:

• Forged tokens or stolen credentials that appear legitimate

• Access via trusted applications and APIs so malicious access doesn’t stand out

• VPNs/proxy infrastructure reuse that makes origin look plausible

• Low-and-slow timing to avoid triggering unusual thresholds

A representative example is Storm-0558, where attackers used forged tokens and proxy infrastructure to access mailboxes across accounts. The sign-ins were visible in logs, but the broader pattern of attacker activity emerged only after analysts correlated activity across accounts and timeframes, down to IP reuse over discrete windows.

This level of subtlety, where the attack reveals itself only through correlation, creates real challenges for security teams. Analysts face countless weak signals while trying to pick out the few that matter. Every unusual login or odd IP triggers alerts. Without the ability to correlate those signals, defenders are left wading through noise.

To interrupt stealthy ATO campaigns, defenders need to shift from isolated detections to intelligent correlation:

1. Connect signals across users and time: stitch together seemingly disparate low-signal events into coherent campaigns.

2. Be infrastructure-aware: detect when VPNs, proxies, or other IPs get reused across accounts.

3. Elevate high-confidence cases: reduce noise so security teams can focus and respond faster.

Abnormal’s Account Takeover Protection (ATO) already surfaces login anomalies, risky behavior, and suspicious identity events. With ATO’s new Automated Threat Hunter capability, detections extend even further by correlating recurring IP activity, learning from cross-customer intelligence, and turning those insights into high-confidence, actionable cases. This is achieved by:

• Correlating signals across accounts and over time by continuously reviewing potentially malicious IP address blocks that recur across multiple accounts within specific time windows. This temporal correlation exposes attacker infrastructure reuse and campaign-level activity that would otherwise look like isolated events.

• Applying federated intelligence drawn from Abnormal’s broad and growing customer ecosystem. When indicators of compromise are detected at other customers, Abnormal’s models adapt and learn from that behavior to strengthen detections everywhere. This approach goes beyond static rules or lists of known-bad indicators, which can cause numerous false positives, and instead leverages behavioral AI to recognize evolving attack behaviors.

• Elevating account compromise cases when emerging intelligence indicates previously unseen activity. Each case includes a reconstructed activity timeline and concise summary that turns scattered anomalies into a clear, actionable picture of compromise.

In production, this approach has already delivered up to a 3x increase in the number of high-confidence ATO cases for our customer base over the last several months, helping teams focus on the attacks that matter most.

As part of a proof of value, Abnormal recently observed a real-world example of this exact pattern, in which a subtle phishing email led to credential theft and a coordinated campaign across multiple organizations. Even in read-only mode, Abnormal’s behavioral AI and federated intelligence exposed the full attack chain, showing how easily a single overlooked message could lead to widespread compromise.

The campaign began with a voicemail-themed phishing email containing a QR code that redirected users to a fake Microsoft 365 login page. Abnormal’s behavioral AI immediately flagged the message as suspicious due to several anomalies: a spoofed sender, a hidden .eml attachment, and message patterns inconsistent with the user’s typical behavior.

Soon after, Microsoft risk telemetry surfaced in Abnormal showed a sign-in from an unfamiliar location, adding to the evidence of compromise.

Once the attacker used those stolen credentials, Abnormal detected a login from a Tencent Cloud VPN, an IP and ISP combination never before seen for that user. This triggered an Account Takeover case highlighting new VPN usage, rare browser characteristics, and a geolocation outside normal patterns.

The case grew in significance when Abnormal’s federated intelligence correlated similar suspicious sign-ins across other tenants. Over 100 users in the Abnormal customer base showed recent logins from the same VPN infrastructure, revealing a coordinated campaign.

Multiple accounts within the customer’s environment showed correlated indicators, such as suspicious messages and sign-ins from the same IP address, confirming a coordinated attacker campaign detected by Abnormal’s federated intelligence.

As Automated Threat Hunter surfaced this reused attacker infrastructure, Abnormal automatically promoted the case confidence from Medium to High, a design choice created to reduce alert fatigue by distinguishing high-fidelity, correlated attacks from isolated, potentially low-signal events. Had this customer been operating in Active Mode, their configured remediation workflows, such as end-user and admin notifications or automatic session revocation, could have been triggered immediately, stopping the attacker before they move laterally and compromise additional accounts.

Even in a non-remediating state during the customer’s proof of value, Abnormal connected the dots between the phishing email, the account compromise, and the broader campaign, showing how behavioral AI and federated intelligence deliver visibility beyond the reach of traditional tools. In production, Abnormal would have automatically quarantined the original message and blocked subsequent account access, preventing the takeover entirely.

This case exemplifies how Abnormal prevents the stealthy account takeovers described earlier in this blog: detecting the quiet, correlated signals others miss and surfacing only the most actionable, high-confidence threats to help teams focus on what truly matters.

See how Abnormal uses behavioral AI to expose coordinated account takeovers that traditional tools miss. Schedule a personalized demo today.