
























Account takeover is one of the most common ways organizations get breached and one of the hardest to train users on. Not because users don't care, but because usually training happens in unrealistic scenarios, long before or long after the moment it would actually matter.
Here's what most security teams don't realise: if you have KnowBe4’s Real-Time Coaching, SecurityCoach, connected to Microsoft 365, Google Workspace, or your identity provider, you already have everything you need to coach users in the moment an account takeover attempt is happening against them.
It usually begins with a phishing email. A user clicks a link, lands on a convincing fake login page, and types in their credentials. Or increasingly they complete MFA perfectly, and an adversary-in-the-middle attack silently steals their session token anyway.
From there, the attacker moves fast:
The whole chain can unfold in hours. And the user has no idea any of it happened.
SecurityCoach monitors the signals your existing security tools are already generating: Microsoft 365, Entra ID, your endpoint protection, and then fires a personalized security tip when something happens that the user needs to know about.
That tip isn't a generic phishing awareness video. It's a short, targeted message about what just happened to them, what it means, and what to do right now.
Here's what that looks like across the account takeover chain:
Before they've even closed the browser tab, SecurityCoach can reach them: "Did you know? You just clicked a link flagged as malicious. Modern phishing attacks can capture your session even after you've completed MFA. Contact IT security now here's the link."
The morning after an attacker tests stolen credentials, the real user gets a tip: "Did you know? A sign-in to your account was detected from an unexpected location. Here's how to check your active sessions and sign out of any device you don't recognise."
One of the most reliable post-compromise signals and most users have no idea it's even possible: "Did you know? A forwarding rule was set up on your account that sends your emails to an external address. If you didn't create this rule, your account may be compromised. Here's how to find and delete it right now."
Each of these moments is a coaching opportunity that would never exist in a once-a-year training module. But they happen naturally because the attack is already generating signals in your security stack.
If your organisation uses Microsoft 365, connecting it to SecurityCoach activates system detection rules covering the full account takeover chain from phishing delivery through to post-compromise persistence.
Add your identity provider Microsoft Entra ID, Okta, or Google IAM and you pick up the sign-in risk signals: impossible travel, logins from malicious IP addresses, anomalous account behaviour.
Most organisations already have these tools. SecurityCoach turns the signals they're already generating into real-time coaching moments their users will actually remember because the training arrives the moment it's relevant.
|
Integration |
ATO detection rules activated |
|---|---|
|
Microsoft 365 |
Creation of Email Forwarding or Redirect Rule, Suspicious Email Forwarding Activity, Suspicious Email Sending Patterns Detected, Escalation of Exchange Admin Privilege Detected, Malicious URL Clicks Detected |
|
Microsoft Entra ID |
Login from an Unexpected Location, Login from a Malicious IP Address, Unexpected User Behavior Detected, User Credentials Leaked |
|
Microsoft Defender for Cloud Apps |
Credentials Leak Detected, Password Spraying Attack Detected, Multiple Failed Login Attempts, Risky Login Detected, Suspicious Inbox Forwarding Detected |
|
Okta |
Invalid Credentials, Suspicious Account Activity Detected, Threat Detected |
|
Google Workspace |
Account Hijacked, Suspicious Login, Leaked Password, Login Failure, 2-Step Verification Disabled |
If you use KnowBe4 PasswordIQ, connecting it surfaces Breached Password Detected, Shared Password Detected, and Weak Password Detected: three credential-exposure signals that fire before an attacker even attempts a login.
Security awareness works best when it meets users at the point of risk. With SecurityCoach, an account takeover attempt doesn't just become a security incident it becomes the most relevant Real-Time Coaching that a user will ever receive.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。