Email gateways were designed to scan and block inbound messages. Their visibility and enforcement is limited to just email. They are unable to take action against an internal threat.

Worse, it is very likely that the gateway would not even be aware of the compromised user account because they focus on incoming email.

The insider threat is more than just email.

It isn’t necessary to send an email to breach one of your accounts. Perhaps your employee is one of over 10 billion compromised accounts or perhaps they chose to use one of the 10,000 most popular passwords that attackers use in brute force attacks. 

Once the first account is compromised, an attacker does not need to use email in order to compromise others in your organization. They can utilize any of the other collaboration tools like OneDrive, Google Drive or Teams to attack other users. 

The PhishPoint attack methodology is a good example of a common internal attack chain. 

Once inside, attackers have multiple attack paths. Not just email. 

While it is possible to identify a compromised account by monitoring email, a more complete and accurate method to detect a compromised account is to monitor user behavior––from logins to chats, configuration changes to data downloads. This type of information is out of the reach of external email gateways, no matter the configuration. 

Detection is not enough. You need Action.

The only way to block an internal threat is through internal action. Quarantining email will not help.

With no ability to disable an account, change permissions, block a chat message or delete a shared file, external gateways are powerless against account compromise. Even if a proxy email vendor were to detect a malicious message, they could only report the suspicious account. It is up to the administrator to disable the account and remediate the damage. 

Didn’t my vendor just announce that they now protect against Email Account Compromise?

Yes, they have. But as a separate product that is purchased and managed independently of the inbound email gateway and the internal email appliance. It is missing key integration and information sharing. The offering demonstrates that they realize that a complete solution must offer:

  • Inbound email protection
  • Internal email protection
  • Outbound email protection
  • Full-suite user event monitoring


To respond to such a threat automatically you would need an additional security incident event management system and anomaly detection tool. But even then the response will be delayed, perhaps still requiring manual intervention.

When we connect to a customer's cloud app, we capture year’s worth of historical information to create a model of each user, as well as an organization’s custom threat profile. Within each SaaS, we monitor over 100 event indicators and correlate them to identify compromised accounts. These indicators are fed into ML algorithms that’s trained to find attacks and filter out false positives. This applies to past accounts breached before installing Avanan, and works to prevent new takeovers.

These indicators include, but are not limited to:

  • Logins from new devices, locations or browsers
  • Suspicious or insecure mailbox configurations
  • Disabling of MFA
  • Multiple password resets

Avanan has a unique combination of account takeover abilities. From real-time prevention, historical breach detection, and adaptive false positive filtering, Avanan provides the most advanced protection of account takeover.