I’ve Been ATO’d! What to Do After an Account Takeover

August 18, 2023
Written by
Christy Henderson
Opinions expressed by Twilio contributors are their own
Reviewed by
Ravleen Kaur
Opinions expressed by Twilio contributors are their own

I’ve Been ATO’d! What to Do After an Account Takeover

When you send as much email as we do at Twilio SendGrid, you see a lot of highs and lows. And in our experience, one thing will always be true: if your company sends email to your customers, bad actors will be searching for an opportunity to use your good reputation with inbox providers to their advantage. Most commonly, bad actors will exploit inadvertent weaknesses of your email account credentials. If you have found your account suddenly sending unauthorized email, or you have heard from our consumer trust team that your account has been identified as suspicious, then this blog is for you. 

What is an ATO?

An ATO, or an account takeover, refers to a bad actor being able to gain access to your email account, enabling them to impersonate your business credentials and send email on your behalf. There are many reasons a bad actor might try to take over your email program. Oftentimes, they want to piggyback on the good relationship and reputation that your program has built with internet service providers (ISPs) and to improve the chances of delivering unwanted spam or phish to inboxes. We often see the behavior originate from open webforms and “invitation” style sharing features on customers' websites. Sometimes, this takes the form of a compromised WordPress plug-in or the lack of human verification, such as Captcha or reCaptcha. These issues are generally resolvable and are well-documented.

What is less discussed is when a bad actor manages to gain your login or API credentials and has direct access to send mail from your SendGrid account. SendGrid’s compliance teams refer to this as an account compromise or ATO. In almost every scenario of ATO, a bad actor will use your account to send spam or phishing emails quickly and in large amounts, taking advantage of your existing email reputation to reach people quickly.

Can I prevent an ATO?

Yes, you can prevent an ATO! Usually, the steps taken to prevent an ATO are the same steps you must take once you’ve been ATO’d. Ever heard the phrase “prevention is better than cure?" Well, there has never been a truer example.

So I’ve been ATO’d… what do I do?!

1. Secure your email account and identify the root cause of any compromise

Once you’ve been ATO’d, the first thing you need to do is secure your email account.We see that an exposed API key is the most common cause of an ATO. Any compromised key needs to be removed. Before it is replaced, it’s vital that you discover how your API key was initially exposed so you can prevent other exposures in the future.  

Here are some common ways we see API keys discovered by bad actors:
  • Public code repositories
  • Exposed .env files
  • Laravel Debug mode running in production
At this point, SendGrid’s support and compliance teams have likely already reached out to you with detailed steps to secure your email sending. If not, be sure to reach out to SendGrid support, so our team can guide you in identifying the root cause of your compromise.  

2. Review your email security practices 

Once you’ve identified the root cause of the compromise, assess your security practices on your SendGrid account and other websites and apps that access Twilio SendGrid. Then, take a look at some email security best practices and evaluate if your email program could benefit from some changes.

To help secure your SendGrid account further, follow these steps: As mentioned, most account compromises these days are from inadvertent API key exposure somewhere in your environment. Often, a website or a web app is the culprit. Be sure your entire team is up-to-date with best practices to keep your product secure. 

3. Review your account for any other signs of compromise 

Depending on the level of access the compromised API key has, there is a chance a bad actor has made changes to your account. Common tactics we see fraudsters use is to create their own sub-users, teammates, or new API keys on your account so that they can continue sending in the event you catch only one vector of their misuse. 

4. Monitor your sending reputation 

Is my reputation ruined forever? No! The good news is that a one-time compromise will not ruin your reputation beyond repair, but you may need to change your sending behavior for a little while as mailbox providers learn that your email account has recovered to its good standing. 

There is one question you should ask yourself: am I experiencing an increase in blocks on my legitimate mail? 
  • If the answer here is “no,” then great! You likely have little to worry about regarding your reputation, but do keep a close eye for any abrupt changes.
  • If the answer is “yes,” then we expect that these blocks are mentioning complaints, reputation, or blocklisting.
Even after your account is secured and your sending has returned to normal, your email delivery statistics will continue to be affected. For days, or potentially weeks, trailing the ATO recovery, recipients will continue to engage with that unwanted mail. Complaint, bounce, and block rates will likely all increase; delivery rates will likely decrease. 

Similarly, reputation errors can increase during or after an ATO. This is because the quality of email observed by ISPs sending from your IPs or domains has changed, and it is less reputable than before. As your open, bounce, and complaint rates normalize, these errors should subside. 

Enhance your email program with Twilio SendGrid  

When investigating your email delivery statistics and reputation, it’s important to focus on your legitimate mail. If your delivery of this wanted mail doesn’t stabilize within a few days of the ATO recovery then we suggest sending only to your most positively engaged subscribers for a period of 7–30 days following the ATO. Basically, you have to re-warm your domain + IPs. This will give reputation-based filters time to adjust and see positive interaction with your emails. After this, you should be able to resume business as usual. 

Interested in learning more? Reach out to our expert team for  help with improving your email program’s performance, preventing ATOs, and more. 

Recommended For You

Most Popular

Send With Confidence

Partner with the email service trusted by developers and marketers for time-savings, scalability, and delivery expertise.