Account Takeover (ATO) Detection

Written By Matt Sywulak

Last updated 1 day ago

Account Takeover (ATO) Detection is a beta outbound security feature that monitors your users' sending behavior for signs of a compromised email account. When suspicious activity crosses a configured threshold, INKY automatically places the affected user into enforcement mode β€” quarantining, discarding, or delivering their outbound messages according to your policy while alerting designated approvers to review and act.

ATO Detection requires INKY Pro and is gated as a beta feature. Contact your account team to have it enabled for your organization.

How it works

INKY continuously scores outbound messages from each sender using three signal types. When a user's cumulative score crosses a threshold, they enter enforcement mode at the corresponding risk level.

Signal types

Signal

What triggers it

Burst

A sudden spike in outbound email volume exceeding normal sending patterns

Dangerous Links

Outbound messages containing URLs flagged as malicious or suspicious

Spam / Phishing Content

Outbound messages whose content matches phishing or spam characteristics

Risk levels

Signal scores accumulate into one of three risk levels. The score thresholds are fixed β€” you configure what action INKY takes at each level, not the thresholds themselves.

Risk level

Score threshold

Low

β‰₯ 10

Medium

β‰₯ 30

High

β‰₯ 70

Enforcement mode

When a user's score crosses a configured threshold, they enter enforcement mode. While in enforcement:

  • All outbound messages are handled according to the Enforcement Action you configured for their risk level (Deliver, Quarantine, or Discard).

  • Enforcement stays active for the Time in Force you set (1 hour to 7 days). If new signals above threshold arrive during enforcement, the window resets and extends.

  • Quarantined messages that an administrator has not manually approved are automatically rejected when enforcement expires.

  • All administrators listed as ATO Enforcement approvers in Global Workflow Approvers are notified immediately and can review messages and release the user at any time via the Triage page.

Configuration

ATO settings are in Settings β†’ Outbound Protection β†’ Account Takeover Settings.

Step 1: Enable ATO detection

Check Enable Account Takeover Detection. When disabled, outbound messages are unaffected regardless of any risk map entries you have configured.

Step 2: Configure risk level actions

Click + Add Low Risk Action, + Add Medium Risk Action, or + Add High Risk Action for each risk level you want to enforce. You can configure Low, Medium, and High independently β€” any level you don't configure defaults to normal delivery.

For each level, set two options:

Setting

Options

Description

Enforcement Action

Deliver, Quarantine, Discard

How outbound messages are handled while the user is in enforcement. Quarantined messages appear in the Triage page for review.

Time in Force

1 hour Β· 4 hours Β· 8 hours Β· 12 hours Β· 1 day Β· 3 days Β· 5 days Β· 7 days

How long enforcement remains active before automatically expiring.

Step 3: Add ATO Enforcement approvers

Administrators who should be notified and able to act on enforcements must be added to Global Workflow Approvers with the type ATO Enforcement.

  1. In Outbound Protection settings, scroll to Global Workflow Approvers.

  2. Click Add Approver, select the administrator, and choose ATO Enforcement as the approver type.

All ATO Enforcement approvers are notified by email when a user enters enforcement and can take action from the Triage page.

Signal sensitivity

ATO detection uses your existing outbound signal configurations as inputs β€” it does not have separate sensitivity settings. To tune what triggers ATO, adjust your Burst Detection, Dangerous Link Detection, and Spam/Phishing Detection settings in Outbound Protection.

Enable Dangerous Links Detection

Enable Spam/Phish Body Detection

Permissions

Permission

What it grants

OMP Enforcements β€” Read

View the Triage page and Account Takeover Settings

OMP Enforcements β€” Modify

Change ATO settings, approve/reject messages, release users from enforcement

Frequently asked questions

  1. What happens if I haven't configured an action for a detected risk level?Messages are delivered normally. Only risk levels with an entry in the risk map trigger enforcement.

  2. Can enforcement be extended automatically?Yes. If new signals above threshold arrive while a user is already in enforcement, the Time in Force window resets from that point, extending the enforcement period.

  3. What happens to quarantined messages when enforcement expires?Any messages still in quarantine that were not manually approved are automatically rejected (discarded).

  4. Does ATO affect inbound email?No. ATO detection is outbound only.

  5. Does ATO use my existing burst and link detection settings?Yes. Your configured Burst Detection, Dangerous Link Detection, and Spam/Phishing Detection settings all feed into ATO scoring.