This page includes:
About ATO cases
The Account Takeover page lets you see a list of the FortiMail Workspace Security ATO cases that have been opened in your organization. Each case represents a suspicion that a particular security occurrence has occurred within an email account in your organization. A case may be opened in scenarios when a suspected ATO attempt is detected by FortiMail Workspace Security. For example, a suspicious mail Inbox rule was set, or a suspicious login to an email account was attempted.
|
Note: Suspected ATO attempts are detected by FortiMail Workspace Security only if the ATO functionality is enabled for the organization. The ATO functionality is available for Microsoft 365 installations only [Inline and API]. For details, see Configuring Microsoft 365 - ATO detection. |
Typically, cases are added based on a combination of suspicious activities, that may originate in multiple integrated channels.
The Account Takeover page includes suspicious activity only. In contrast, the Events page lists all events that have occurred in FortiMail Workspace Security - even if the events are not suspicious. For details, see Events.
To show the Account Takeover page:
-
In FortiMail Workspace Security, in the left navigation menu, select Security Operations > Account Takeover.
|
Any admin user with the "Controller" role or the Administrator role can access the Account Takeover page. |
|
Note: The Account Takeover page will be available only if a Microsoft 365 integration [Inline or API] is enabled for the organization. |
Case alerts
Suspicious incidents that are detected in an email account, such as the creation of a suspicious mailbox rule, may create alerts. Alerts are the building blocks of every case. Each case can include one-or-more alerts. By including multiple alerts in a case, the comprehensiveness of the case is enhanced - making the case easier to review, analyze, and resolve. When an alert is created, a new case may be opened. More significant alerts - known as trigger alerts - are able to open a new case. Every case will have one-or-more trigger alerts. Less significant alerts may be insufficient to open a new case.
After a case has been opened [and remains open], as additional alerts are created, they are added to the case. When a case has the Closed status, new alerts are no longer added to the case. Instead, when necessary, a new case will be opened and the new alerts will be added to the new case.
Some alerts may include one or more events.
The following are some of the alerts that may be included in a case:
|
Handling cases - the process
Each entry in the Account Takeover page has a status - Open, Under investigation, or Closed. The status indicates where the case is in the investigation process. Use the "case handling" process described below to make sure that all cases are either in the Closed status, or are progressing towards the Closed status.
Each new case is assigned the Open status. You can configure FortiMail Workspace Security to send an email alert each time a new case is opened. [For details, see Sending email alerts [notifications] below.] When you receive an email alert, use the available filters to locate the new case in the Account Takeover page, review the information that is displayed, and then begin to handle the case [as described below].
If a case includes any changes to its status, then a Case History button will appear. Use this button to display a summary of the changes that have been made to the status of the case.
For any case in the Account Takeover page, you can click Handle Case [
] to proceed with the investigation process, as follows:
|
Current Status |
Click "Handle Case" to: |
|---|---|
|
[ |
Request an investigationReason: You aren't sure if the case is a true positive [TP] or a false positive [FP], and you want the FortiMail Workspace Security IR Team to investigate the case.
Close the caseReason: You are sure that the case is either:
You'll need to specify the case accuracy:
The case status will change to Closed. |
|
[ |
No Handle Case functionality is available. The case is waiting for the FortiMail Workspace Security IR Team to complete their investigation. The FortiMail Workspace Security IR Team will either:
|
|
[ |
Re-open the caseReason: You have reviewed the case history, and now you want to indicate that you think that the case is a true positive [TP] or a false positive [FP].
Request an investigationReason: You have reviewed the case history, and now you want the FortiMail Workspace Security IR Team to [re]investigate the case.
|
] Open
] Under Investigation
] ClosedSending email alerts [notifications]
You can configure FortiMail Workspace Security to send an email alert [notification] each time a new case is opened. The alert is sent to one-or-more admin users. For details, see Alert via email on malicious cases. When you receive an email alert, use the available filters in the Account Takeover page to locate the new case. Review the information that is displayed, and then begin to handle the case, as described in Handling cases - the process above.
|
Note: Email alerts are not sent to end-users - they are sent to admin users only. |
Existing ATO cases
Email alerts are sent only when a new ATO case is opened. When additional suspicious activity [such as an alert or an event] is added to an open ATO case, an email alert is NOT sent.
After an ATO case is closed, if suspicious activity is then detected for the same user, a new case will be triggered [opened] and an email alert will be sent.
|
Transitioning to the new Account Takeover page On 8 July 2025, the existing Cases page in FortiMail Workspace Security was replaced by the new Account Takeover page. All cases from the Cases page were transferred to the new Account Takeover page. Email alerts for these cases were originally sent out when the cases were first opened in the Cases page. When additional suspicious activity [such as an alert or an event] is first added to one of these "transferred" cases in the new Account Takeover page, a new email alert will be sent. This email alert will refer to the original date on which the case was first opened in the Cases page, but will redirect to the new Account Takeover page. After this additional email alert is sent, no further email alerts will be sent for this case. Use the "case handling" process described above to handle the case as required. |
Case status
Each entry in the Account Takeover page has a status. The status indicates where the case is in the investigation process. The status can be any of the following:
|
Open |
The case has been opened. It has not yet been investigated by the FortiMail Workspace Security IR Team. The FortiMail Workspace Security IR Team won't investigate the case while it has the Open status. |
|
Under Investigation |
The case is being investigated by the FortiMail Workspace Security IR Team. |
|
Closed |
The case is now closed. No further investigation into the case will be performed - unless the case is re-opened. |
You can click Handle Case [] to change the status of a case. For details, see Handling cases - the process above.
You can use the case Status to filter the cases that are shown in the Account Takeover page.
Case severity
FortiMail Workspace Security assigns a severity to each case when the case is created. The severity of each case is based on the alerts that are included in the case. You can't modify the severity of a case. The severity can be:
-
Low: For example, a user logged-in.
-
Medium: For example, "Suspicious Inbox rule was detected".
-
High: For example, a user set up a mailbox rule that appears to be suspicious, such as "Suspicious Inbox rule created".
You can use the case Severity to filter the cases that are shown in the Account Takeover page.
See also:
