Email Account Takeover (ATO) attacks occur when a threat actor gains unauthorized access to an email account belonging to someone else. Cybercriminals obtain stolen user credentials through trade or purchase on the dark web. Typically, the credentials are obtained through spear-phishing attacks that serve the victim a URL to a web page impersonating legitimate services like MS Office365 (Figure 1). Office365 is one of the top impersonated brands for email hosting services, according to SlashNext’s Phishing Research Lab. Other top impersonated brands include GSuite, Roundcube, Zimbra, and YandexMail.