Agari: 50% of accounts are accessed within 12 hours of being stolen

Elevate your enterprise data technology and strategy at Transform 2021.

New research from phishing defense company Agari found that criminals don’t wait after they compromise accounts in phishing attacks. Agari researchers found that 23% of all accounts were accessed almost immediately and 50% of the accounts were accessed manually within 12 hours after compromise, according to the Anatomy of a Compromised Account report.

50% of compromised accounts have been accessed.

Above: Percentage of compromised accounts manually accessed over time.

Image Credit: Agari

In order to better understand what happens after an enterprise email account is compromised, the Agari Cyber Intelligence Division (ACID) seeded more than 8,000 phishing sites with credentials under their control and then monitored the accounts to directly observe the actions cybercriminals took post-compromise. Nearly 20% of accounts were accessed within the first hour post-compromise, and 91% were accessed manually within the first week, demonstrating the speed at which compromised accounts are exploited. Initial scanning appeared to be automated, perhaps to verify that the stolen credentials actually worked.

The criminals impersonated Microsoft OneDrive, Office 365, SharePoint, Adobe Document Cloud, or just “Microsoft,” according to Agari. Once attackers gained access to the compromised accounts, they appeared to try to identify high-value targets with access to a company’s financial information or payment system.

Highlighting the global footprint of the problem of business email compromise (BEC), Agari identified cybercriminals located in 44 countries around the world that had accessed compromised accounts, with 47% located in Nigeria. The ACID team was also able to directly observe the different ways cybercriminals exploited compromised accounts, including creating mailbox rules to collect intelligence, pivoting to other applications to search for and host malicious documents, setting up new infrastructure for future BEC attacks, and sending massive phishing campaigns targeting multiple industries.

Read the full Agari whitepaper Anatomy of a Compromise Account.


VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative technology and transact.

Our site delivers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:

  • up-to-date information on the subjects of interest to you
  • our newsletters
  • gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
  • networking features, and more

Become a member

Leave a Comment