Blog
/
Email
/
July 18, 2023

How Darktrace SOC Thwarted a BEC Attack

Photo of woman looking at computer screenDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
18
Jul 2023
Discover how Darktrace's SOC detected and stopped a Business Email Compromise in a customer's SaaS environment.

What is Business Email Compromise (BEC)?

Business Email Compromise (BEC) is the practice of tricking an organization into transferring funds or sensitive data to a malicious actor.

Although at face value this type of attack may not carry the same gravitas as the more blockbuster, cloak-and-dagger type of attack such as ransomware [1], the costs of BEC actually dwarf that of ransomware [2]. Moreover, among UK organizations that reported a cyber breach in 2023, attacks related to BEC – namely phishing attacks, email impersonation, attempted hacking of online back accounts, and account takeover – were reported as the most disruptive, ahead of ransomware and other types of cyber-attack [3].  

What makes a BEC attack successful?

BEC attacks are so successful and damaging due to the difficulty of detection for traditional security systems, along with their ease of execution.  BEC does not require much technical sophistication to accomplish; rather, it exploits humans’ natural trust in known correspondents, via a phishing email for example, to induce them to perform a certain action.

How does a BEC attack work?

BEC attacks typically begin with a phishing email to an employee of an organization. Traditional email gateways may be unable to block the initial phishing email, as the email often appear to have been sent by a known correspondent, or it may contain minimal payload content.

The recipient’s interaction with the initial phishing email will likely result in the attacker gaining access to the user’s identity. Once access is obtained, the attacker may abuse the identity of the compromised user to obtain details of the user’s financial relations to the rest of the organization or its customers, eventually using these details to conduct further malicious email activity, such as sending out emails containing fraudulent wire transfer requests.  Today, the continued growth in adoption of services to support remote working, such as cloud file storage and sharing, means that the compromise of a single user’s email account can also grant access to a wide range of corporate sensitive information.

How to protect against BEC attacks

The rapid uptake of cloud-based infrastructure and software-as-a-service (SaaS) outpaces the adoption of skills and expertise required to secure it, meaning that security teams are often less prepared to detect and respond to cloud-based attacks.  

Alongside the adoption of security measures that specialize in anomaly-based detection and autonomous response, like Darktrace DETECT™ and Darktrace RESPOND™, it is extremely beneficial for organizations to have an around the clock security operations center (SOC) in place to monitor and investigate ongoing suspicious activity as it emerges.

In June 2023, Darktrace’s SOC alerted a customer to an active BEC attack within their cloud environment, following the successful detection of suspicious activity by Darktrace’s AI, playing a fundamental role in thwarting the attack in its early stages.

Darktrace Mitigates BEC Attack

Figure 1: Screenshot of the SaaS Console showing location information for the compromised SaaS account.  The ability to visualize the distance between these two locations enables a SOC Analyst to deduce that the simultaneous activity from London and Derby may represent impossible travel’.

It was suspected the attack began with a phishing email, as on the previous day the user had received a highly anomalous email from an external sender with which the organization had not previously communicated. However, the customer had configured Darktrace/Email™ in passive mode, which meant that Darktrace was not able to carry out any RESPOND actions on this anomalous email to prevent it from landing in the user’s inbox. Despite this, Darktrace/Apps was able to instantly detect the subsequent unusual login to the customer’s SaaS environment; its anomaly-based approach to threat detection allowed it to recognize the anomalous behavior even though the malicious email had successfully reached the user.

Following the anomalous ExpressVPN login, Darktrace detected further account anomalies originating from another ExpressVPN IP (45.92.229[.]195), as the attacker accessed files over SharePoint.  Notably, Darktrace identified that the logins from ExpressVPN IPs were performed with the software Chrome 114, however, activity from the legitimate account owner prior to these unusual logins was performed using the software Chrome 102. It is unusual for a user to be using multiple browser versions simultaneously, therefore in addition to the observed impossible travel, this further implied the presence of different actors behind the simultaneous account activity.

Figure 2: Screenshot of the Event Log for the compromised SaaS account, showing simultaneous login and file access activity on the account from different browser versions, and thus likely from different devices.

Darktrace identified that the files observed during this anomalous activity referenced financial information and personnel schedules, suggesting that the attacker was performing internal reconnaissance to gather information about sensitive internal company procedures, in preparation for further fraudulent financial activity.

Although the actions taken by the attacker were mostly passive, Darktrace/Apps chained together the multiple anomalies to understand that this pattern of activity was indicative of movement along the cyber kill chain. The multiple model breaches generated by the ongoing unusual activity triggered an Enhanced Monitoring model breach that was escalated to Darktrace’s SOC as the customer had subscribed to Darktrace’s Proactive Threat Notification (PTN) service.  Enhanced Monitoring models detect activities that are more likely to be indicative of compromise.  

Subsequently, Darktrace’s SOC triaged the activity detected on the SaaS account and sent a PTN alert to the customer, advising urgent follow up action.  The encrypted alert contained relevant technical details of the incident that were summarized by an expert Darktrace Analyst, along with recommendations to the customer’s internal SOC team to take immediate action.  Upon receipt and validation of the alert, the customer used Darktrace RESPOND to perform a manual force logout and block access from the external ExpressVPN IP.

Had Darktrace RESPOND been enabled in autonomous response mode, it would have immediately taken action to disable the account after ongoing anomalies were detected from it. However, as the customer only had RESPOND configured in the manual human confirmation model, the expertise of Darktrace’s SOC team was critical in enabling the customer to react and prevent further escalation of post-compromise activity.  Evidence of further attempts to access the compromised account were observed hours after RESPOND actions were taken, including failed login attempts from another rare external IP, this time associated with the VPN service NordVPN.

Figure 3: Timeline of attack and response actions from Darktrace SOC and Darktrace RESPOND.

Because the customer had subscribed to Darktrace’s PTN service, they were able to further leverage the expertise of Darktrace’s global team of cyber analysts and request further analysis of which files were accessed by the legitimate account owner versus the attacker.  This information was shared securely within the same Customer Portal ticket that was automatically opened on behalf of the customer when the PTN was alerted, allowing the customer’s security team to submit further queries and feedback, and request assistance to further investigate this alert within Darktrace. A similar service called Ask the Expert (ATE) exists for customers to draw from the expertise of Darktrace’s analysts at any time, not just when PTNs are alerted.

Conclusion

The growing prevalence and impact of BEC attacks amid the shift to cloud-based infrastructure means that already stretched internal security teams may not have the sufficient human capacity to detect and respond to these threats.

Darktrace’s round-the-clock SOC thwarted a BEC attack that had the potential to result in significant financial and reputational damage to the legal services company, by alerting the customer to high priority activity during the early stages of the attack and sharing actionable insights that the customer could use to prevent further escalation.  Following the confirmed compromise, the support and in-depth analysis provided by Darktrace’s SOC on the files accessed by the attacker enabled the customer to effectively report this breach to the Information Commissioner’s Office, to maintain compliance with UK data protection regulations. [4].  

Although the attacker used IP addresses that were local to the customer’s country of operations and did not perform overtly noisy actions during reconnaissance, Darktrace was able to identify that this activity deviated from the legitimate user’s typical pattern of life, triggering model breaches at each stage of the attack as it progressed from initial access to internal reconnaissance. While Darktrace RESPOND triggered an action that would have prevented the attack autonomously, the customer’s configuration meant that Darktrace’s SOC had an even more significant role in alerting the customer directly to take manual action.

Credit to: Sam Lister, Senior Analyst, for his contributions to this blog.

Appendices

Darktrace DETECT/Apps Models Breached:

  • SaaS / Access / Unusual External Source for SaaS Credential Use
  • SaaS / Compromise / Login From Rare Endpoint While User Is Active
  • SaaS / Unusual Activity / Activity from Multiple Unusual IPs
  • SaaS / Unusual Activity / Multiple Unusual SaaS Activities
  • SaaS / Access / Suspicious Login Attempt
  • SaaS / Compromise / SaaS Anomaly Following Anomalous Login (Enhanced Monitoring Model)

Darktrace RESPOND/Apps Models Breached:

  • Antigena / SaaS / Antigena Unusual Activity Block
  • Antigena / SaaS / Antigena Suspicious SaaS Activity Block

MITRE ATT&CK Mapping

Tactic Techniques
Reconnaissance • T1598 – Phishing for Information
Initial Access • T1078.004 – Valid Accounts: Cloud Accounts
Collection • T1213.002 – Data from Information Repositories: Sharepoint

References

[1] Rand, D. (2022, November 10). Why Business Email Compromise Costs Companies More Than Ransomware Attacks. Retrieved from Tanium: https://www.tanium.com/blog/whybusiness-email-compromise-costs-companies-more-than-ransomware-attacks/

[2] Federal Bureau of Investigation. (2022). 2022 IC3 Report. Retrieved from IC3.gov: https://www.ic3.gov/Media/PDF/AnnualReport/2022_IC3Report.pdf

[3] Department for Science, Innovation & Technology. (2023, April 19). Cyber security breaches survey 2023. Retrieved from gov.uk: https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2023/cybersecurity-breaches-survey-2023

[4] ICO. (2023). Personal data breaches: a guide. Retrieved from Information Commissioner's Office: https://ico.org.uk/for-organisations/report-a-breach/personal-data-breach/personal-data-breaches-a-guide/#whatbreachesdo

Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Author
Nicole Wong
Cyber Security Analyst
Watch the NIS2 Webinar
Book a 1-1 meeting with one of our experts
Get in touch
Share this article
Trending blogs
1
Our Annual Survey Reveals How Security Teams Are Adapting to AI-Powered Threats
Mar 4, 2025
2
Darktrace Releases Annual 2024 Threat Insights
Feb 19, 2025
3
From Hype to Reality: How AI is Transforming Cybersecurity Practices
Feb 10, 2025
4
From Containment to Remediation: Darktrace / CLOUD & Cado Reducing MTTR
Mar 6, 2025
5
RansomHub Ransomware: Darktrace’s Investigation of the Newest Tool in ShadowSyndicate's Arsenal
Jan 14, 2025

More in this series

No items found.

Blog

/

OT

/

April 4, 2025

Darktrace Named as Market Leader in the 2025 Omdia Market Radar for OT Cybersecurity Platforms

Default blog imageDefault blog image

We are pleased to announce that Darktrace / OT has been named a Market Leader in Omdia’s  2025 Market Radar for OT Cybersecurity Platforms. We believe this highlights our unique capabilities in the OT security market and follows similar recognition from Gartner who recently named Darktrace / OT as the sole Visionary in in the Magic Quadrant for Cyber Physical Systems (CPS) Protection Platforms market.

Historically, IT and OT systems have been managed separately, creating challenges due to the differences of priorities between the two domains. While both value availability, IT emphasizes confidentiality and integrity whereas OT focuses on safety and reliability. Organizations are increasingly converging these systems to reap the benefits of automation, efficiency, and productivity (1).

Omdia’s research highlights that decision makers are increasingly prioritizing comprehensive security coverage, centralized management, and advanced cybersecurity capabilities when selecting OT security solutions (1).

Rising productivity demands have driven the convergence of OT, IT, and cloud-connected systems, expanding attack surfaces and exposing vulnerabilities. Darktrace / OT provides a comprehensive OT security solution, purpose-built for critical infrastructure, offering visibility across OT, IoT, and IT assets, bespoke risk management, and industry-leading threat detection and response powered by Self-Learning AITM.

Figure 1: Omdia vendor overview for OT cybersecurity platforms
Figure 1: Omdia vendor overview for OT cybersecurity platforms

An AI-first approach to OT security  

Many OT security vendors have integrated AI into their offerings, often leveraging machine learning for anomaly detection and threat response. However, only a few have a deep-rooted history in AI, with longstanding expertise shaping their approach beyond surface-level adoption.

The Omdia Market Radar recognizes that Darktrace has extensive background in the AI space:

“Darktrace has invested extensively in AI research to fuel its capabilities since 2013 with 200-plus patent applications, providing anomaly detection with a significant level of customization, helping with SOC productivity and efficiency, streamlining to show what matters for OT.” (1)

Unlike other security approaches that rely on existing threat data, Darktrace / OT achieves this through Self-Learning AI that understands normal business operations, detecting and containing known and unknown threats autonomously, thereby reducing Sec Ops workload and ensuring minimal downtime

This approach extends to incident investigations where an industry-first Cyber AI AnalystTM automatically investigates all relevant threats across IT and OT, prioritizes critical incidents, and then summarizes findings in an easily understandable view—bringing production engineers and security analysts together to communicate and quickly take appropriate action.

Balancing autonomous response with human oversight

In OT environments where uptime is essential, autonomous response technology can be approached with apprehension. However, Darktrace offers customizable response actions that can be set to “human confirmation mode.”

Omdia recognizes that our approach provides customizable options for autonomous response:

“Darktrace’s autonomous response functionality enforces normal, expected behavior. This can be automated but does not need to be from the beginning, and it can be fine-tuned. Alternative step-by-step mitigations are clearly laid out step-by-step and updated based on organizational risk posture and current level of progress.” (1)

This approach allows security and production to keep humans-in-the-loop with pre-defined actions for potential attacks, enforcing normal to contain a threat, and allowing production to continue without disruption.  

Bespoke vulnerability and risk management

In the realm of OT security, asset management takes precedent as one of the key focus points for organizations. With a large quantity of assets to manage, practitioners are overwhelmed with information with no real way to prioritize or apply them to their unique environment.

Darktrace / OT is recognized by Omdia as having:

“Advanced risk management capabilities that showcase metrics on impact, exploit difficulty, and estimated cost of an attack […] Given the nascency of this capability (April 2024), it is remarkably granular in depth and insight.” (1)

Enabling this is Darktrace’s unique approach to AI extends to risk management capabilities for OT. Darktrace / OT understands customers’ unique risks by building a comprehensive and contextualized picture that goes beyond isolated CVE scoring. It combines attack path modeling with MITRE ATT&CK  techniques to provide hardening recommendations regardless of patching availability and gives you a clearer view of the potential impact of an attack from APT groups.

Modular, scalable security for industrial environments

Organizations need flexibility when it comes to OT security, some want a fully integrated IT-OT security stack, while others prefer a segregated approach due to compliance or operational concerns. The Darktrace ActiveAI Security Platform offers integrated security across multiple domains, allowing flexibility and unification across IT and OT security. The platform combines telemetry from all areas of your digital estate to detect and respond to threats, including OT, network, cloud, email, and user identities.

Omdia recognizes Darktrace’s expansive coverage across multiple domains as a key reason why organizations should consider Darktrace / OT:

“Darktrace’s modular and platform, approach offer’s integrated security across multiple domains. It offers the option of Darktrace / OT as a separate platform product for those that want to segregate IT and OT cybersecurity or are not yet in a position to secure both domains in tandem. The deployment of Darktrace’s platform is flexible—with nine different deployment options, including physical on-premises, virtual, cloud, and hybrid.” (1)

With flexible deployment options, Darktrace offers security teams the ability to choose a model that works best for their organization, ensuring that security doesn’t have to be a “one-size-fits-all” approach.

Conclusion: Why Darktrace / OT stands out in Omdia’s evaluation

Omdia’s 2025 Market Radar for OT Cybersecurity Platforms provides a technical-first, vendor-agnostic evaluation, offering critical insights for organizations looking to strengthen their OT security posture. Darktrace’s recognition as a Market Leader reinforces its unique AI-driven approach, flexible deployment options, and advanced risk management capabilities as key differentiators in an evolving threat landscape.

By leveraging Self-Learning AI, autonomous response, and real-world risk analysis, Darktrace / OT enables organizations to detect, investigate, and mitigate threats before they escalate, without compromising operational uptime.

Read the full report here!

References

  1. www.darktrace.com/resources/darktrace-named-a-market-leader-in-the-2025-omdia-market-radar-for-ot-cybersecurity-platforms
Continue reading
About the author
Pallavi Singh
Product Marketing Manager, OT Security & Compliance

Blog

/

Cloud

/

April 2, 2025

Fusing Vulnerability and Threat Data: Enhancing the Depth of Attack Analysis

Default blog imageDefault blog image

Cado Security, recently acquired by Darktrace, is excited to announce a significant enhancement to its data collection capabilities, with the addition of a vulnerability discovery feature for Linux-based cloud resources. According to Darktrace’s Annual Threat Report 2024, the most significant campaigns observed in 2024 involved the ongoing exploitation of significant vulnerabilities in internet-facing systems. Cado’s new vulnerability discovery capability further deepens its ability to provide extensive context to security teams, enabling them to make informed decisions about threats, faster than ever.

Deep context to accelerate understanding and remediation

Context is critical when understanding the circumstances surrounding a threat. It can also take many forms – alert data, telemetry, file content, business context (for example asset criticality, core function of the resource), and risk context, such as open vulnerabilities.

When performing an investigation, it is common practice to understand the risk profile of the resource impacted, specifically determining open vulnerabilities and how they may relate to the threat. For example, if an analyst is triaging an alert related to an internet-facing Webserver running Apache, it would greatly benefit the analyst to understand open vulnerabilities in the Apache version that is running, if any of them are exploitable, whether a fix is available, etc. This dataset also serves as an invaluable source when developing a remediation plan, identifying specific vulnerabilities to be prioritised for patching.

Data acquisition in Cado

Cado is the only platform with the ability to perform full forensic captures as well as utilize instant triage collection methods, which is why fusing host-based artifact data with vulnerability data is such an exciting and compelling development.

The vulnerability discovery feature can be run as part of an acquisition – full or triage – as well as independently using a fast ‘Scan only’ mode.

Figure 1: A fast vulnerability scan being performed on the acquired evidence

Once the acquisition has completed, the user will have access to a ‘Vulnerabilities’ table within their investigation, where they are able to view and filter open vulnerabilities (by Severity, CVE ID, Resource, and other properties), as well as pivot to the full Event Timeline. In the Event Timeline, the user will be able to identify whether there is any malicious, suspicious or other interesting activity surrounding the vulnerable package, given the unified timeline presents a complete chronological dataset of all evidence and context collected.

Figure 2: Vulnerabilities discovered on the acquired evidence
Figure 3: Pivot from the Vulnerabilities table to the Event Timeline provides an in-depth view of file and process data associated with the vulnerable package selected. In this example, Apache2.

Future work

In the coming months, we’ll be releasing initial versions of highly anticipated integrations between Cado and Darktrace, including the ability to ingest Darktrace / CLOUD alerts which will automatically trigger a forensic capture (as well as a vulnerability discovery) of the impacted assets.

To learn more about how Cado and Darktrace will combine forces, request a demo today.

Continue reading
About the author
Paul Bottomley
Director of Product Management, Cado
Your data. Our AI.
Elevate your network security with Darktrace AI