Blog
/
Email
/
April 2, 2023

Enhancing Security Teams with AI-Powered Email Solutions

security operations centerDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
02
Apr 2023
Discover email-based attack challenges & how AI security solutions can tackle these attacks with autonomous action, optimized workflows, and user visibility.

The modern security team faces challenges on all fronts – it is too often overstretched dealing with an increased attack surface, enabling workforces for secure remote work, and managing multiple security tools to protect that workforce. Added to that, the surge in more sophisticated phishing campaigns – now supported by AI tools – means that it’s harder than ever to pre-empt attacks. 

The needs of the security team should be a key consideration when deploying an email security solution, as it’s them who will be accountable for the success and maintenance of the product. Minimizing time spent inside the user interface – through trusted detection and response technology combined with intuitive reporting and optimized workflows – should be front of mind for vendors in order to assure teams of their value.

Taking security teams off the frontline 

No team should be spending all of their time maintaining email security policies, releasing emails that shouldn’t have been held, or holding back emails that should have been – all the things that traditional email security solutions have almost forced them to become accustomed to. A day in the life of an admin shouldn’t include tens – and certainly not hundreds – of minutes spent in their email security dashboard. 

At the moment, teams are logging in far too often, and when they do, they’re forced to make individual decisions about safe listing and blocking domains, or releasing emails. These can lead to the creation of blanket rules that open up future windows for attackers – unintended consequences that ultimately create more work in the future. This type of hand-to-hand combat puts security teams on the frontline, when their time could be much better spent doing the high-level strategic work humans are best at.  

Understanding You: A Different Approach to Email Security

In today’s discussions about email security, there is a consensus that relying on a gateway is no longer feasible. The new era is one of ICES (Integrated cloud email security) solutions and other tools leveraging artificial intelligence and APIs. But there's no point adopting new technology with an old philosophy – and most of these solutions use AI to automate the same old approach: looking at past attacks to try and stop the next. 

This is where Darktrace/Email takes a fundamentally different and unique approach. It’s not just about using AI; it’s about using it in the right capacity. Our AI understands you – learning where users log in from, who they email, their behavior throughout the day – to tailor the detection and response process according to their individual profile. There’s no point withholding an email if only a tiny element of it poses a risk – Darktrace/Email takes the least aggressive action required to neutralize a threat. Instead of a blanket allow-deny criteria, it can rewrite links or withhold attachments based on its knowledge of the user’s normal inbox activity. Stopping malicious emails while allowing legitimate emails through – with risky elements neutralized – lifts security teams out of the fire-fighting activities described earlier and frees up their time for more strategic and valuable decision-making.

This is going to get me to reduce my current email security stack… this is going to take it to that level that I need it to”

- Early Look Customer, Darktrace/Email 

Account Takeover 

Embedded account takeover protection is an essential component of modern email security. Security teams need visibility not just over email breaches but of what happens once an attacker has control of an inbox, particularly in the most damaging use cases like Business Email Compromise (BEC) and ransomware. This entails understanding a user’s behavior in their inbox, outbound emails and beyond into their wider account activity. Darktrace captures a user’s activity across email and their Microsoft or Google account in a single pane of glass – detecting and countering all of the markers that could signify a compromised account.  

Insights from other cloud applications and network devices gleaned from Darktrace's wider visibility of the business can bring a 360° understanding of the user, further enhancing detection of account takeover and other harmful activity.

Figure 1: A 360° understanding of a user reveals their digital touchpoints beyond Microsoft

What ‘user-friendly’ actually looks like 

The best user interface is one that you never have to log into. In an ideal world, teams are able to visit their tools less frequently because intelligent AI is automating work previously done by humans. This is made possible by Darktrace’s precision detection and response technology, which takes appropriate action on emails and accounts to neutralize threats without disrupting day-to-day business operations. 

The second-best user interface is one where you can quickly log in and get key insights fast, whether that’s regarding an action taken or the current activity of a user – and then get out. Darktrace/Email enables teams to get key information quickly, at both a high and granular level.  The dashboard offers immediate insights into users and emails, with a real-time snapshot of active user identities, targeted user and actioned emails, segmented by type of attack. 

At every touchpoint, Darktrace reduces friction with optimized workflows. From being able to quickly identify VIPs to safely previewing links and attachments, security teams can get the information they need without needing to switch between windows or navigate inaccessible interfaces. Explainable AI gives users natural-language summaries of individual emails or the overall health of an email environment, and simplified action flows allow security teams to personalize security for different employees – for example, sending VIPs a unique notification, or taking extra precautions around employees who work in accounting. Taken together, this meaning that admins can spend even less time managing policies. 

Figure 2: Darktrace/Email dashboard displaying key information about the email environment in a single pane of glass

The ideal interface is also the one that’s the most accessible to you. The mobile app guarantees convenience for security teams, making available all the main functions of the interface for on-the-go analysis at any time or place. Teams can travel or leave the office while retaining the peace of mind that if a critical incident was to occur, they would be able to get instant visibility on the data and take action without needing to get back to their desks.  

Figure 3: Security admins are able to preview, analyze, and act on emails directly from the Darktrace Mobile App

With every passing day, the security team can rest easier. Every activity is taken into account to help the AI tune and adapt over time to become even better at detecting and responding to threats.   

Having email on the app is going to be game changing” 

- Early Look Customer, Darktrace/Email 

Getting the full picture

Most often, email is the entry point from which a threat actor moves stealthily throughout an organization collecting information and assets. Most solutions look at email in isolation, without prioritizing or connecting disparate events into a wider pattern. 

In contrast, Darktrace/Email integrates seamlessly with Darktrace's Cyber AI Analyst, a technology that conducts autonomous enterprise-wide investigations around every alert produced by the wider Darktrace platform. Through this integration, malicious email activity is analyzed and displayed in the context of the full security incident to which it belongs. As a result, security teams can see why and how a wider problem might have originated in email and spread to other apps, endpoints, or the wider corporate network.

Empowering employees to take an active role in security

The role of the security team can be made more difficult if employees take a lax or disengaged approach to security – or if a user is given too much control, and has the ability to make potentially dangerous decisions. Training employees on security procedures is another to-do which can easily fall to the bottom of the agenda during busy periods, especially as point-in-time phishing simulations have proven to be not particularly effective. 

To this end, Darktrace/Email uses Explainable AI to say in natural language what it thought about an email, and delivers its findings not just to the security team, but optionally to the wider workforce as well. Delivered in the form of contextual banners in emails, periodic digests, or directly in Outlook, these insights transform security education from a quarterly or yearly exercise into real-time security awareness. Our next blog will dive deeper into how employee engagement can support the security team’s efforts and harden defenses throughout the organization. 

Because Darktrace is built on a fundamentally different approach, it not only stops novel and targeted sophisticated attacks but allows legitimate emails to flow through. This is what makes it a truly set-and-forget technology, with the AI taking on much of the heavy lifting previously undertaken by security teams. 

Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Author
Dan Fein
VP, Product

Based in New York, Dan joined Darktrace’s technical team in 2015, helping customers quickly achieve a complete and granular understanding of Darktrace’s product suite. Dan has a particular focus on Darktrace/Email, ensuring that it is effectively deployed in complex digital environments, and works closely with the development, marketing, sales, and technical teams. Dan holds a Bachelor’s degree in Computer Science from New York University.

Book a 1-1 meeting with one of our experts
Share this article

Blog

/

Email

/

February 27, 2025

Fighting the Real Enemy: The Importance of Responsible Vulnerability Disclosure Between Email Security Vendors

Default blog imageDefault blog image

Part of being a cybersecurity vendor is recognizing our responsibility to the security community – while vendor competition exists, it pales in comparison to the threat of our shared adversary: malicious threat actors.

Darktrace is proud to be contributing to the shared mission of fighting attackers; without goodwill among defenders that task is made more difficult for everyone. Through collaboration, we can advance security standards across the board and make the world a safer place.  

With that in mind, Darktrace recently observed an exploitation capability latent in a competing email security vendor’s link rewriting infrastructure, which posed a risk to organizations. Following identification, Darktrace was able to report it to the vendor following their disclosure process. We’ll explore the vulnerability, the potential impact it may have had, how it could have been resolved, and the steps Darktrace took to raise it with the vendor.  

Please note that the following vulnerability we’re about to expose has already been resolved, so there is no risk of it being exploited by others. While keeping this vendor anonymous, we also want to thank them for their cordial response and swift remediation of the issue.

For more information about vulnerability disclosure best practices, refer to the UK National Cyber Security Center’s Vulnerability Disclosure Toolkit.

Details of the vulnerability

Let’s take a look at the weakness Darktrace identified in the link rewriting infrastructure.

In January 2025, Darktrace observed that links generated by a URL rewriting infrastructure could be re-engineered by a malicious actor to point to a URL of their choosing. In this way, a threat actor could effectively use the vendor’s domain to create a malicious domain under their control.

Because a majority of security vendors default to trust from known-safe domains, using one of these links as the payload greatly enhances the likelihood of that email being allow-listed to bypass email security, network URL filtering, and other such security tools, to reach the inbox. This issue meant any adversary could have abused the vendor’s safelink structure to deliver a malicious phishing link payload to any organization. It is likely this exploitation capability could have been found and abused at scale if not addressed.

The problem with said vendor’s link rewriting process was in using standard base-64 encoding instead of randomized encoding, so that anyone could replace the value of the parameter “b=” which contains a base64-encoded form of the original link with a base64-encoded form of a URL of their choosing.

This also posed issues from a privacy perspective. If, for example the encoded link was a SharePoint file, all the included folder names would be available for anyone to see in plaintext.

Example of a phishing attack caught by Darktrace that uses another email security solution’s compromised safelink
Fig 1: Example of a phishing attack caught by Darktrace that uses another email security solution’s compromised safelink

How the vulnerability was resolved

The solution for developers is to ensure the use of randomized encoding when developing link rewriting infrastructure to close the possibility of safelinks being deciphered and re-engineered by malicious actors.

Once Darktrace found this link issue we followed the vendor’s disclosure process to report the potential risk to customers and the wider community, while also conducting a review to ensure that Darktrace customers and their supply chains remained safe. We continued to follow up with the company directly to ensure that the vulnerability was fixed.

This instance highlights the importance of vendors having clear and visible vulnerability disclosure processes (such as RFC9116) and being available to listen to the security community in case of disclosures of this nature.

Why Darktrace was obliged to disclose this vulnerability

Here, Darktrace had two responsibilities: to the security community and to our customers.

As a company whose mission is to protect organizations today and for an ever-changing future, we will never stand by if there is a known risk. If attackers had used the safelinks to create new attacks, any organization could have been exposed due to the inherent trust in this vendor’s links within services that distribute or maintain global whitelists, harm which could have been multiplied by the interlinked nature of supply chains.

This means that not only the vendor’s customers were exposed, but any organization with their safelink in a whitelist was also exposed to this vulnerability. For Darktrace customers, an attack using this link would have been detected and stopped across various service offerings, and a secondary escalation by our Cyber AI Analyst would ensure security teams were aware. Even so, Darktrace has a responsibility to these customers to do everything in its power to minimize their exposure to risk, even if it comes from within their own security stack.

Why Darktrace customers remain protected

If a Darktrace / EMAIL, Darktrace / NETWORK, or any other Darktrace ActiveAI Security Platform customer was exposed to this type of vulnerability, our unique Self-Learning AI approach and defense-in-depth philosophy means they stay protected.

Darktrace / EMAIL doesn’t approach links from a binary perspective – as safe, or unsafe – instead every link is analyzed for hundreds of metrics including the content and context in which it was delivered. Because every user’s normal behavior is baselined, Darktrace can immediately detect anomalies in link-sharing patterns that may point to a threat. Furthermore, our advanced link analysis includes metrics on how links perform within a browser and in-depth visual analysis, to detect even well-disguised payloads.

None of Darktrace’s customers were compromised as a result of this vulnerability. But should a customer have clicked on a similar malicious link, that’s where a platform approach to security comes in. Detecting threats that traverse domains is one strength of the Darktrace ActiveAI Security Platform. Our AI correlates data from across the digital estate to spot suspicious activity in the network, endpoint or cloud that may have originated from a malicious email. Darktrace’s Cyber AI Analyst then performs triage and investigation of alerts to raise those of high importance to an incident, allowing for human-analyst validation and escalation.

As demonstrated by finding this vulnerability in another vendor, Darktrace’s R&D teams are always thinking like an attacker as they develop our products, to allow us to remain one step ahead for our customers.

Conclusion

We hope this example can be useful to developers working on link rewriting infrastructure, or to vendors figuring out how to proceed with a disclosure to another vendor. We’re pleased to have been able to collaborate with said vendor in this instance, and hope that it serves to illustrate the importance of defenders working together towards the common goal of keeping organizations safe from hostile cyber actors.

Continue reading
About the author
The Darktrace Community

Blog

/

Network

/

February 27, 2025

New Threat on the Prowl: Investigating Lynx Ransomware

Default blog imageDefault blog image

What is Lynx ransomware?

In mid-2024, a new ransomware actor named Lynx emerged in the threat landscape. This Ransomware-as-a-Service (RaaS) strain is known to target organizations in the finance, architecture, and manufacturing sectors [1] [2]. However, Darktrace’s Threat Research teams also identified Lynx incidents affecting energy and retail organizations in the Middle East and Asia-Pacific (APAC) regions. Despite being a relatively new actor, Lynx’s malware shares large portions of its source code with the INC ransomware variant, suggesting that the group may have acquired and repurposed the readily available INC code to develop its own strain [2].

What techniques does Lynx ransomware group use?

Lynx employs several common attack vectors, including phishing emails which result in the download and installation of ransomware onto systems upon user interaction. The group poses a sophisticated double extortion threat to organizations, exfiltrating sensitive data prior to encryption [1]. This tactic allows threat actors to pressure their targets by threatening to release sensitive information publicly or sell it if the ransom is not paid. The group has also been known to gradually release small batches of sensitive information (i.e., “drip” data) to increase pressure.

Once executed, the malware encrypts files and appends the extension ‘.LYNX’ to all encrypted files. It eventually drops a Base64 encoded text file as a ransom note (i.e., README.txt) [1]. Should initial file encryption attempts fail, the operators have been known to employ privilege escalation techniques to ensure full impact [2].

In the Annual Threat Report 2024, Darktrace’s Threat Research team identified Lynx ransomware as one of the top five most significant threats, impacting both its customers and the broader threat landscape.

Darktrace Coverage of Lynx Ransomware

In cases of Lynx ransomware observed across the Darktrace customer base, Darktrace / NETWORK identified and suggested Autonomous Response actions to contain network compromises from the onset of activity.  

Detection of lateral movement

One such Lynx compromise occurred in December 2024 when Darktrace observed multiple indicators of lateral movement on a customer network. The lateral movement activity started with a high volume of attempted binds to the service control endpoint of various destination devices, suggesting SMB file share enumeration. This activity also included repeated attempts to establish internal connections over destination port 445, as well as other privileged ports. Spikes in failed internal connectivity, such as those exhibited by the device in question, can indicate network scanning. Elements of the internal connectivity also suggested the use of the attack and reconnaissance tool, Nmap.

Indicators of compromised administrative credentials

Although an initial access point could not be confirmed, the widespread use of administrative credentials throughout the lateral movement process demonstrated the likely compromise of such privileged usernames and passwords. The operators of the malware frequently used both 'admin' and 'administrator' credentials throughout the incident, suggesting that attackers may have leveraged compromised default administrative credentials to gain access and escalate privileges. These credentials were observed on numerous devices across the network, triggering Darktrace models that detect unusual use of administrative usernames via methods like NTLM and Kerberos.

Data exfiltration

The lateral movement and reconnaissance behavior was then followed by unusual internal and external data transfers. One such device exhibited an unusual spike in internal data download activity, downloading around 150 GiB over port 3260 from internal network devices. The device then proceeded to upload large volumes of data to the external AWS S3 storage bucket: wt-prod-euwest1-storm.s3.eu-west-1.amazonaws[.]com. Usage of external cloud storage providers is a common tactic to avoid detection of exfiltration, given the added level of legitimacy afforded by cloud service provider domains.

Furthermore, Darktrace observed the device exhibiting behavior suggesting the use of the remote management tool AnyDesk when it made outbound TCP connections to hostnames such as:

relay-48ce591e[.]net[.]anydesk[.]com

relay-c9990d24[.]net[.]anydesk[.]com

relay-da1ad7b4[.]net[.]anydesk[.]com

Tools like AnyDesk can be used for legitimate administrative purposes. However, such tools are also commonly leveraged by threat actors to enable remote access and further compromise activity. The activity observed from the noted device during this time suggests the tool was used by the ransomware operators to advance their compromise goals.

The observed activity culminated in the encryption of thousands of files with the '.Lynx' extension. Darktrace detected devices performing uncommon SMB write and move operations on the drives of destination network devices, featuring the appending of the Lynx extension to local host files. Darktrace also identified similar levels of SMB read and write sizes originating from certain devices. Parallel volumes of SMB read and write activity strongly suggest encryption, as the malware opens, reads, and then encrypts local files on the hosted SMB disk share. This encryption activity frequently highlighted the use of the seemingly-default credential: "Administrator".

In this instance, Darktrace’s Autonomous Response capability was configured to only take action upon human confirmation, meaning the customer’s security team had to manually apply any suggested actions. Had the deployment been fully autonomous, Darktrace would have blocked connectivity to and from the affected devices, giving the customer additional time to contain the attack and enforce existing network behavior patterns while the IT team responded accordingly.

Conclusion

As reported by Darktrace’s Threat Research team in the Annual Threat Report 2024, both new and old ransomware strains were prominent across the threat landscape last year. Due to the continually improving security postures of organizations, ransomware actors are forced to constantly evolve and adopt new tactics to successfully carry out their attacks.

The Lynx group’s use of INC source code, for example, suggests a growing accessibility for threat actors to launch new ransomware strains based on existing code – reducing the cost, resources, and expertise required to build new malware and carry out an attack. This decreased barrier to entry will surely lead to an increased number of ransomware incidents, with attacks not being limited to experienced threat actors.

While Darktrace expects ransomware strains like Lynx to remain prominent in the threat landscape in 2025 and beyond, Darktrace’s ability to identify and respond to emerging ransomware incidents – as demonstrated here – ensures that customers can safeguard their networks and resume normal business operations as quickly as possible, even in an increasingly complex threat landscape.

Credit to Justin Torres (Senior Cyber Analyst) and Adam Potter (Senior Cyber Analyst).

Get the latest insights on emerging cyber threats

Attackers are adapting, are you ready? This report explores the latest trends shaping the cybersecurity landscape and what defenders need to know in 2025.

  • Identity-based attacks: How attackers are bypassing traditional defenses
  • Zero-day exploitation: The rise of previously unknown vulnerabilities
  • AI-driven threats: How adversaries are leveraging AI to outmaneuver security controls

Stay ahead of evolving threats with expert analysis from Darktrace. Download the report here.

Appendices

References

1.     https://unit42.paloaltonetworks.com/inc-ransomware-rebrand-to-lynx/

2.     https://cybersecsentinel.com/lynx-ransomware-strikes-new-targets-unveiling-advanced-encryption-techniques/

Autonomous Response Model Alerts

·      Antigena::Network::Significant Anomaly::Antigena Alerts Over Time Block

·      Antigena::Network::Insider Threat::Antigena Active Threat SMB Write Block

·      Antigena::Network::Significant Anomaly::Antigena Enhanced Monitoring from Client Block

·      Antigena::Network::Significant Anomaly::Antigena Significant Anomaly from Client Block

·      Antigena::Network::Insider Threat::Antigena Network Scan Block

·      Antigena::Network::Insider Threat::Antigena Internal Anomalous File Activity

·      Antigena::Network::Insider Threat::Antigena Unusual Privileged User Activities Block

·      Antigena::Network::Insider Threat::Antigena Unusual Privileged User Activities Pattern of Life Block

·      Antigena::Network::Insider Threat::Antigena Large Data Volume Outbound Block

Darktrace / NETWORK Model Alerts

·      Device::Multiple Lateral Movement Model Alerts

·      Device::Suspicious Network Scan Activity

·      Anomalous File::Internal::Additional Extension Appended to SMB File

·      Device::SMB Lateral Movement

·      Compliance::SMB Drive Write

·      Compromise::Ransomware::Suspicious SMB Activity

·      Anomalous File::Internal::Unusual SMB Script Write

·      Device::Network Scan

·      Device::Suspicious SMB Scanning Activity

·      Device::RDP Scan

·      Unusual Activity::Anomalous SMB Move & Write

·      Anomalous Connection::Sustained MIME Type Conversion

·      Compromise::Ransomware::SMB Reads then Writes with Additional Extensions

·      Unusual Activity::Sustained Anomalous SMB Activity

·      Device::ICMP Address Scan

·      Compromise::Ransomware::Ransom or Offensive Words Written to SMB

·      Anomalous Connection::Suspicious Read Write Ratio

·      Anomalous File::Internal::Masqueraded Executable SMB Write

·      Compliance::Possible Unencrypted Password File On Server

·      User::New Admin Credentials on Client

·      Compliance::Remote Management Tool On Server

·      User::New Admin Credentials on Server

·      Anomalous Connection::Unusual Admin RDP Session

·      Anomalous Connection::Download and Upload

·      Anomalous Connection::Uncommon 1 GiB Outbound

·      Unusual Activity::Unusual File Storage Data Transfer

List of IoCs

IoC - Type - Description + Confidence

- ‘. LYNX’ -  File Extension -  Lynx Ransomware file extension appended to encrypted files

MITRE ATT&CK Mapping  

(Technique Name - Tactic - ID - Sub-Technique of)

Taint Shared Content - LATERAL MOVEMENT - T1080

Data Encrypted for - Impact - IMPACT T1486

Rename System Utilities - DEFENSE EVASION - T1036.003 - T1036

Continue reading
About the author
Justin Torres
Cyber Analyst
Your data. Our AI.
Elevate your network security with Darktrace AI