Stop account takeovers due to identity theft with Baobab MDR

Summary: A managing director accidentally enters their login credentials on a fake login page. The attacker uses these credentials to log in from abroad, covertly redirects invoice emails, and prepares a payment fraud. Since the credentials are real, traditional security software doesn't raise an alarm – however, the Baobab MDR Service still detects that the login cannot possibly be legitimate and blocks the account before any money is transferred.
Who is this use case relevant for?
This scenario affects companies that:
- handle their business communication and invoicing via a cloud platform like Microsoft 365
- have executives or teams working remotely or from home who log in from varying locations
- do not have their own 24/7 monitoring of their logins and want to meet the requirements for modern cyber insurance
In short: Any company whose payment transactions and email communication run through a cloud environment.
Attack Overview
In the hectic daily business, a managing director falls victim to a well-designed phishing email and enters their login credentials on a fake login page. The attacker uses these genuine credentials to log in to the mailbox – automatically and from abroad – appearing as a legitimate login. To the cloud platform, this appears as a normal, successful login.
Immediately afterwards, the attacker sets up a hidden forwarding rule: Any email containing terms like "invoice" or "payment" will automatically be sent to an external address, while system warnings are deleted. Subsequently, they review past conversations to send fake invoices or altered payment terms to the accounting department in the name of the management.
Attack Flow: Without and With Baobab MDR

Consequences of such an attack
- Financial: According to an analysis by the Anti-Phishing Working Group attackers demanded an average of approximately 128,980 euros per incident in such scams. For larger companies with correspondingly high payment volumes, the damage can be significantly higher – according to expert reports, known cases in Germany and the USA sometimes reached double-digit millions, such as 40 million euros at the automotive supplier Leonie in 2016. Since the attacker operates under a genuine, trusted identity, the fraud is often only noticed weeks later – usually only when suppliers demand outstanding payments.
- Contractual Risks: Through the monitored mailbox, documents such as framework agreements with suppliers, price and condition agreements, bank details and payment data, customer lists, or even confidential documents related to ongoing negotiations (e.g., company participations or tenders) can be exfiltrated.
- Reputation: If business partners actually receive a fake payment request or altered bank details in the name of the management, this permanently damages the relationship – regardless of whether the payment is actually made. In addition, there are potential follow-up costs for forensic investigation, legal advice, and internal processing, as well as, in the worst case, public reporting that undermines the overall trust of customers and partners in the company's IT security.
Without Baobab MDR: Why traditional security solutions remain blind here
Classic, signature-based protection programs don't work here because no malware is involved. Setting up email forwarding or reading old messages are normal, permitted functions of any cloud platform. Without checking whether the login behavior is plausible at all, the attacker remains invisible to the system – after all, they log in with genuine credentials.
With Baobab MDR: How the attack is stopped
Baobab MDR does not rely on whether the credentials are correct, but rather checks whether the login behavior is plausible at all – around the clock, worldwide.
- Detection: The CEO logs in from their office in Berlin in the morning. A few minutes later, another successful login for the same account occurs – this time from the USA. Since this distance cannot be covered in such a short time, the system immediately raises an alarm.
- Investigation: An analyst team evaluates the incident 24/7 in its overall context: The impossible login is immediately followed by the setup of email forwarding and mass access to old invoices – a clear pattern for an automated account takeover.
- Response: The affected account is immediately locked, all active login sessions worldwide are terminated, the malicious forwarding rule is automatically deleted, and access for the attacker's address is blocked.
Direct Comparison
Benefits of Baobab MDR
- Protects even with legitimate credentials: Detects attacks where the attacker logs in legitimately – a blind spot for traditional solutions and even pure multi-factor authentication
- Machine-speed detection: Since automated attacks occur within seconds, only an equally fast, automated response reliably protects the cloud environment
- Targeted, not blanket, response: Only the affected account is locked – the rest of the business operations continue undisturbed
- Maintaining Business Relationships: Since forwarding is removed before fraudulent invoices are sent, customers and suppliers never receive fraudulent messages
Protect your leadership and payment processes from undetected account takeovers. Speak with our experts to learn how Baobab MDR secures your critical communication channels.

FAQ
What does it mean if a login is "impossible"?
The system compares the location and time of two consecutive logins for the same account. If a user logs in from Germany in the morning and then from the USA a few minutes later, this distance cannot be physically covered in that time. This is a clear sign of an automated attack using stolen credentials.
How does Baobab MDR prevent third parties from reading emails without detection?
After an account takeover, attackers often set up hidden rules that automatically forward emails to an external address. Baobab MDR monitors changes to mailbox settings in real-time – any newly created forwarding rule for sensitive accounts immediately triggers an alarm and is stopped if suspicious.
Isn't Multi-Factor Authentication (MFA) sufficient protection?
MFA is essential basic protection, but it can be bypassed by modern phishing methods where attackers directly hijack an already confirmed login session. Baobab MDR addresses this directly: It monitors account behavior after login and stops the attacker even if the MFA hurdle has already been overcome.


