Email Security MX - Account Takeover - Mar 2026

Service Update

Overview

Mimecast is pleased to introduce Account Takeover (ATO) Detection. This capability enhances detection of compromised user accounts by combining email and identity signals and is available to eligible Email Security MX customers on the new packages.

What's Changing?

Account Takeover Detection is moving from an early access capability to a fully supported, generally available feature. Customers on the new Email Security packages will benefit from:

• Automated monitoring of behavioral signals across email and identity systems.
• AI-driven correlation of those signals to detect suspected account takeover activity.
• High-confidence alerts surfaced to security teams without requiring a separate console.

How Account Takeover Detection Works

1. Signal collection: Continuously ingests signals from:
   • Email activity – malware, phishing, spam patterns, and cross-customer reported messages.
   • Microsoft Entra ID – identity and authentication events.
2. Per-user analysis: Signals are stored and analyzed on a per-user basis to build a behavioral baseline and detect anomalies that deviate from normal activity.
3. Smart alert generation: An AI model, combining machine learning with curated detection logic, weighs accumulated signals and raises an ATO alert with a confidence/severity score when thresholds are exceeded.
4. Analyst workflow: Alerts are surfaced in Incydr’s investigation interface, where analysts can review related signals and actor context, understand the confidence/severity score, notify stakeholders, and mark alerts as true or false positives.
5. Advanced visibility: Aggregated signal and alert counts are surfaced as hero statistics in the Mimecast dashboard, providing a near real-time view of identity threat activity.

Customer Benefits

• Faster response, reduced impact: Post-compromise alerts help security teams quickly identify and respond to compromised accounts, reducing attacker dwell time and the overall financial and operational impact.
• Early detection before damage spreads: Early identification of account takeover activity helps prevent privilege escalation, lateral movement to other accounts, and large-scale data exfiltration.
• Brand and reputation protection: If compromised corporate accounts are used to send malicious or fraudulent communications, earlier detection helps limit potential brand and regulatory damage.
• Integrated with Mimecast: ATO Detection works in concert with the broader Mimecast platform, providing correlated context rather than isolated identity or email alerts.

Key Capabilities

• Multi-signal correlation: Combines email behavior and identity signals for higher-fidelity detection.
• AI alert scoring: Each alert includes a confidence/severity score to support triage and prioritization.
• Integrated investigation: Alerts surface directly in Incydr’s investigation interface with related signals and actor context.
• Notification routing: Alerts can trigger notifications via email, Slack, or Microsoft Teams.
• Feedback loop: Analysts can resolve alerts as true or false positives, continuously improving model accuracy.
• API access: ATO alert data is available via API for integration with SIEM, SOAR, and other security tools.
• Executive dashboard stats: Signal and alert counts feed real-time hero stats in the Mimecast dashboard.

Recommended Actions

• Review the Account Takeover feature behavior and configuration documentation.
• Confirm required integrations, such as Microsoft Entra ID, are in place and configured.
• Validate that ATO alerts are routed to the appropriate security and operations teams.
• Incorporate ATO alerts into existing incident response and investigation workflows.
• Ensure that read and write permissions are enabled in the following locations under Application Permissions | Services Menu | Account Take Over Alert & Account Take Over Rule. Without these permissions enabled, the hero stat will not render.

See Also...

• Email Security, Cloud Gateway – Account Takeover