Subscribe to the Non-Human & AI Identity Journal
Governance, Ownership & Risk

ATO Jumping

← Back to Glossary
By NHI Mgmt Group Updated July 14, 2026 Domain: Governance, Ownership & Risk

A post-compromise technique where an attacker uses one stolen account to launch more phishing or abuse from a trusted position. It turns the initial account takeover into a distribution channel, expanding the blast radius across contacts, mailboxes, and internal workflows.

Expanded Definition

ATO Jumping describes a post-compromise abuse pattern in which a threat actor turns one stolen account into a launch point for additional phishing, business email compromise, or workflow abuse. The initial account takeover is only the foothold; the attacker then uses the account’s trust, relationships, and permissions to amplify reach. In NHI and IAM environments, this often matters as much for service accounts and API-connected identities as it does for human mailboxes, because trusted identity context can be reused to trigger automated actions at scale.

Definitions vary across vendors, but the core idea is consistent: the compromise is not the end state, it is the distribution mechanism. That makes ATO Jumping closely related to lateral movement, trusted-sender abuse, and identity-based propagation, though it is narrower than general post-exploitation activity. NHI Management Group treats the term as an operational pattern, not a formal control category, so it should be mapped to credential hygiene, anomaly detection, and privilege containment. For broader identity governance context, see Ultimate Guide to NHIs and the NIST Cybersecurity Framework 2.0.

The most common misapplication is treating ATO Jumping as ordinary phishing volume, which occurs when analysts focus on the first compromised login and miss the trusted outbound abuse that follows.

Examples and Use Cases

Implementing detection and response for ATO Jumping rigorously often introduces a tradeoff between trust-based automation and tighter identity controls, requiring organisations to weigh user efficiency against faster blast-radius containment.

  • A compromised employee mailbox sends credential-reset requests to internal support teams, then uses the trusted account to push malicious links to coworkers.
  • A stolen API key is used to trigger automated notifications or integrations, allowing the attacker to distribute malicious content through legitimate workflow channels.
  • A service account with mail-sending permissions is abused to send high-confidence spearphishing from a monitored internal address, bypassing sender skepticism.
  • An attacker who gains access to a privileged admin account uses the account’s existing trust to approve secondary access requests or modify routing rules.
  • A cloud identity session token is reused to invoke downstream actions across connected systems, turning one compromise into multiple trust violations. For identity context, the Ultimate Guide to NHIs is a useful reference point, while NIST Cybersecurity Framework 2.0 helps frame detection and response outcomes.

These cases are especially relevant when identity compromise is paired with automation, because the trusted account can operate faster and more convincingly than a standalone malicious sender.

Why It Matters in NHI Security

ATO Jumping is a governance problem as much as an incident-response problem. Once one identity is compromised, the attacker may inherit access to secrets, mail flows, service integrations, or delegated permissions that were never designed for hostile reuse. NHI Management Group’s research shows that 97% of NHIs carry excessive privileges, which means a single stolen identity can often do far more than its owners expect. That risk is amplified when secrets are stored poorly or rotated too slowly, conditions documented in the Ultimate Guide to NHIs.

Practically, ATO Jumping exposes weak segmentation between initial access, trusted execution, and outbound communication. Security teams need to watch for sudden changes in sending behavior, unusual recipient expansion, delegated actions, token reuse, and privilege escalation after takeover. This is where Zero Trust thinking becomes operational, because the system must stop assuming that a formerly valid identity remains trustworthy. The NIST Cybersecurity Framework 2.0 reinforces that access, monitoring, and response must work together rather than as separate silos.

Organisations typically encounter the real cost only after a trusted account is used to attack partners, customers, or internal teams, at which point ATO Jumping becomes operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST SP 800-63 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-04ATO Jumping exploits compromised identities to expand attacker reach through trusted channels.
NIST CSF 2.0DE.CM-1Continuous monitoring is needed to detect account takeover abuse and unusual identity-driven activity.
NIST Zero Trust (SP 800-207)Zero Trust rejects implicit trust in an account just because it was previously authenticated.
NIST SP 800-63IAL2Identity assurance matters when an attacker reuses a valid account context to impersonate trust.
OWASP Agentic AI Top 10AGENT-07Autonomous or semi-autonomous abuse can amplify a stolen identity across tools and workflows.

Contain post-compromise misuse by monitoring abnormal identity behavior and limiting downstream trust propagation.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org