Account takeover is one of the most common ways organizations get breached and one of the hardest to train users on. Not because users don't care, but because usually training happens in unrealistic scenarios, long before or long after the moment it would actually matter.
Here's what most security teams don't realise: if you have KnowBe4’s Real-Time Coaching, SecurityCoach, connected to Microsoft 365, Google Workspace, or your identity provider, you already have everything you need to coach users in the moment an account takeover attempt is happening against them.
How Account Takeover Attacks Unfold.
It usually begins with a phishing email. A user clicks a link, lands on a convincing fake login page, and types in their credentials. Or increasingly they complete MFA perfectly, and an adversary-in-the-middle attack silently steals their session token anyway.
From there, the attacker moves fast:
- They sign in from a new location or device
- They create a silent email forwarding rule so every email the user receives, including password reset links, goes to the attacker too
- They start exploring, escalating, and eventually exfiltrating
The whole chain can unfold in hours. And the user has no idea any of it happened.
Where SecurityCoach Fits In
SecurityCoach monitors the signals your existing security tools are already generating: Microsoft 365, Entra ID, your endpoint protection, and then fires a personalized security tip when something happens that the user needs to know about.
That tip isn't a generic phishing awareness video. It's a short, targeted message about what just happened to them, what it means, and what to do right now.
Here's what that looks like across the account takeover chain:
When a User Clicks a Malicious Link in an Email
Before they've even closed the browser tab, SecurityCoach can reach them: "Did you know? You just clicked a link flagged as malicious. Modern phishing attacks can capture your session even after you've completed MFA. Contact IT security now here's the link."
When a Suspicious Sign-In Appears on Their Account
The morning after an attacker tests stolen credentials, the real user gets a tip: "Did you know? A sign-in to your account was detected from an unexpected location. Here's how to check your active sessions and sign out of any device you don't recognise."
When an Email Forwarding Rule is Created
One of the most reliable post-compromise signals and most users have no idea it's even possible: "Did you know? A forwarding rule was set up on your account that sends your emails to an external address. If you didn't create this rule, your account may be compromised. Here's how to find and delete it right now."
Each of these moments is a coaching opportunity that would never exist in a once-a-year training module. But they happen naturally because the attack is already generating signals in your security stack.
You Probably Already Have What You Need
If your organisation uses Microsoft 365, connecting it to SecurityCoach activates system detection rules covering the full account takeover chain from phishing delivery through to post-compromise persistence.
Add your identity provider Microsoft Entra ID, Okta, or Google IAM and you pick up the sign-in risk signals: impossible travel, logins from malicious IP addresses, anomalous account behaviour.
Most organisations already have these tools. SecurityCoach turns the signals they're already generating into real-time coaching moments their users will actually remember because the training arrives the moment it's relevant.
Getting started
Four steps to put this in place:
- Connect Microsoft 365 to the KnowBe4 Platform. Detection rules activate automatically once connected and Risk Score gets augmented with additional data points.
- Connect your identity provider. This is where the richest ATO signals live together with Microsoft 365, these integrations cover the full account takeover chain:
|
Integration |
ATO detection rules activated |
|---|---|
|
Microsoft 365 |
Creation of Email Forwarding or Redirect Rule, Suspicious Email Forwarding Activity, Suspicious Email Sending Patterns Detected, Escalation of Exchange Admin Privilege Detected, Malicious URL Clicks Detected |
|
Microsoft Entra ID |
Login from an Unexpected Location, Login from a Malicious IP Address, Unexpected User Behavior Detected, User Credentials Leaked |
|
Microsoft Defender for Cloud Apps |
Credentials Leak Detected, Password Spraying Attack Detected, Multiple Failed Login Attempts, Risky Login Detected, Suspicious Inbox Forwarding Detected |
|
Okta |
Invalid Credentials, Suspicious Account Activity Detected, Threat Detected |
|
Google Workspace |
Account Hijacked, Suspicious Login, Leaked Password, Login Failure, 2-Step Verification Disabled |
If you use KnowBe4 PasswordIQ, connecting it surfaces Breached Password Detected, Shared Password Detected, and Weak Password Detected: three credential-exposure signals that fire before an attacker even attempts a login.
- Review your Detection Rules report. Once your integrations are connected, this shows you which rules are already firing across your user base, a practical way to prioritise which behaviours to focus your first coaching campaign on.
- Create a Real-Time Coaching Campaign. Detection rules log events but don't deliver anything on their own, the campaign is what connects a detected behaviour to a security tip. In the campaign you select which detection rules should trigger coaching, pick a SecurityTip from KnowBe4's pre-built content library (organised by topic, automatically localised to each user's language), and configure delivery method and frequency. You can customize the notification text to match your organisation's voice. Or you can create a custom security tip.
Security awareness works best when it meets users at the point of risk. With SecurityCoach, an account takeover attempt doesn't just become a security incident it becomes the most relevant Real-Time Coaching that a user will ever receive.
