Mimecast Account Takeover Protection (ATO) is now generally available - detecting compromised user accounts and alerting your security team instantly, complete with the context and recommended actions needed to respond fast. After an early access period beginning in late October 2025, we're thrilled to bring this capability officially to market.
Account takeover attacks are among the fastest-growing threats organizations face. Once inside using valid credentials, attackers can move silently - sending malicious emails, stealing data, or pivoting to other accounts - often for weeks before detection. ATO closes this gap by correlating behavioral signals across email and, if you interconnect, identity systems using AI, surfacing high-confidence alerts within tools your team already uses.
How It Works
ATO draws on multiple signal sources, continuously analyzed against each user's behavioral baseline:
- Outbound email activity - monitors for unusual sender volumes, malware distribution, phishing, and spam originating from within your organization, plus cross-customer reported messages
- Microsoft Entra ID (optional) - when connected, enriches detection with identity signals including risky sign-ins, impossible travel, and authentication anomalies
When activity crosses a risk threshold, our AI model generates a scored alert directly in the investigation interface. From there, analysts can review the full signal timeline, execute recommended actions - such as resetting credentials, revoking access, or pausing email flow. If desired, you can forward alerts to your SIEM or SOAR via API.
Availability & Packaging
Included at no additional cost - ATO is automatically enabled for MX-based customers on the following plans, with no configuration required beyond notification preferences:
- Critical Email & Collaboration Threat Protection
- Advanced Email & Collaboration Threat Protection
- Premium Email & Collaboration Threat Protection
Available globally, with hybrid environment and Google Workspace support.
Not included: ATO is not available on old plans & SKUs or Email Security Cloud Integrated plans. Contact your Mimecast Account Manager if you want to discuss eligibility.
To get started, log in to your Mimecast console and configure your notification preferences.
