Resources

What are Compromised Accounts?

Compromised Accounts occur when fraudsters take over existing accounts (email, social media, cloud, or corporate) to exploit previously established trust relationships in subsequent attacks.

Arsen Team
3 minutes read
What are Compromised Accounts?

Compromised Accounts maps to Resource Development in the MITRE F3 Framework. Rather than building fake personas from scratch, fraud actors hijack real accounts, taking advantage of the trust and credibility already established with the victim's contacts.

Sub-techniques

Sub-technique Primary Risk
Email Accounts Thread hijacking, phishing from a trusted sender
Corporate Accounts Fraudulent payment authorisations, BEC
Cloud Accounts Infrastructure abuse, mass phishing via SaaS
Social Media Accounts Spear-phishing via trusted connections

How are accounts compromised?

  • Phishing for Information: Fake login pages harvest credentials directly.
  • Credential purchases: Third-party breach dumps sold on underground markets.
  • Brute force: Password reuse exploited through credential stuffing.
  • Insider access: Employees or partners bribed or coerced into providing credentials.

Why is account compromise more dangerous than a fresh fake account?

An existing email thread, a known LinkedIn profile, or a recognised corporate address dramatically increases victim trust. A fraud actor operating from a compromised account does not need to build rapport: it already exists. This is what makes business email compromise (BEC) and thread hijacking so effective: the victim sees a familiar sender and conversation history.

Key takeaways

  • Compromise Accounts is a Resource Development technique in MITRE F3 with four sub-techniques.
  • Attackers prefer compromised real accounts over fabricated ones because trust is pre-established.
  • Email and corporate account compromise directly enables phishing, BEC, and wire fraud.
  • Cloud account compromise enables infrastructure abuse: mass phishing via AWS SES, SendGrid, or Twilio.
  • Social media account compromise supports spear-phishing via direct messages on trusted platforms.

What is MITRE Fight Fraud Framework™ (F3)?

The MITRE Fight Fraud Framework (F3) is a curated knowledge base of tactics, techniques, and sub-techniques used by fraud actors in cyber-based financial fraud incidents. Developed by MITRE's Center for Threat-Informed Defense in collaboration with FS-ISAC, JPMorganChase, and Lloyds Banking Group, it provides a common language for fraud-fusion teams to describe, detect, and prevent financial fraud. F3 is modeled after MITRE ATT&CK® and focuses on banking institutions as its initial scope.


Book a demo

Discover why Arsen is the go-to platform for helping CISOs, security teams, and IT leaders protect their organizations against social engineering.

Request a demo

Frequently Asked Questions

Methods include credential phishing, purchasing leaked credentials, brute force via password reuse, and paying or coercing insiders. Compromised email accounts are then used for thread hijacking and targeted phishing.

Corporate accounts provide legitimate access to approval workflows, payment systems, and customer data. Once inside, attackers can authorise fraudulent payments, modify vendor details, and expand access to further systems without triggering identity alerts.

Employees who can recognise phishing and vishing attempts are less likely to surrender credentials in the first place. Simulating account compromise scenarios trains staff to verify requests through out-of-band channels.

It is a Resource Development technique covering fraud actors taking over existing email, corporate, cloud, or social media accounts to exploit the trust already placed in those accounts by victims and colleagues.