What is vendor email compromise (VEC)?
Vendor email compromise (VEC) is an attack in which cybercriminals take over a supplier's legitimate email account and use it to send phishing emails to that vendor's customers and partners. Because the messages come from a real, trusted sender, they routinely bypass secure email gateways and reputation-based defenses.
Supply chain account takeover – also known as Vendor Email Compromise — is the single most pressing issue facing email security at the moment. There has been a wave of high-profile supply chain attacks recently and this trend will only increase over 2021 as cyber-criminals continue to find success in such methods. Traditional security tools are powerless to stop such attacks: since the malicious emails come from trusted partners and suppliers, they slip through the gateway.
The recent SolarWinds cyber-attack shows just how devastating a supply chain compromise can be. Business partnerships are more complex than ever, which means that a single breach can affect dozens of organizations at all levels of a global supply chain, from small local companies to government departments.
This blog examines a compromised third-party provider which sent malicious emails to a customer trialing Darktrace / EMAIL. Despite the emails coming from a trusted source, the AI technology recognized a behavioral shift – that they were anomalous when compared with the previous behavior of the sender. When the contact realized their account had been compromised and issued a warning via email to their regular contacts, Darktrace recognized these emails as benign. But as the attacker continued sending emails of a malicious nature on their account, those threatening emails, which bypassed the company’s other security tools, were held back by Darktrace.
How does a vendor email compromise attack work?
In this real-world attack, cybercriminals compromised a trusted supplier to a global beverage company, then used the vendor's genuine account to mass-mail phishing emails across its supply chain. Because the messages blended into an established sending history, they evaded gateway checks, but behavioral analysis flagged them as out of character.
Let’s set the scene. The company in question is one of the world’s largest beverage suppliers with around 15,000 email users alone. It has a sprawling global supply chain with many partners and trusted vendors. After one of these third parties was compromised, malicious actors sent phishing emails across the supply chain to compromise as many organizations as they could. Our beverage company was one of the main targets.
The trusted relationship with the third party can be seen through Darktrace’s Email tags, which were applied to the previous legitimate emails sent in from the supplier.

Shortly after this legitimate email was seen, a wave of new emails came in from the same account. Using this authentic traffic to their advantage, the attacker successfully evaded other tools and blended into legitimate communications. In supply chain attacks, such camouflage is key to a successful compromise.
However, due to slight changes in the behavior of the sender when compared with their previous history, Darktrace was able to identify that the account had been compromised, shown by the Out of Character and Suspicious Link tags.

Darktrace’s AI detected a range of anomalies, including:
- the source of the email;
- the nature of the links and their association with the company;
- the language and intention of the email body.
These extremely subtle shifts in email can only be detected by using Darktrace’s sophisticated unsupervised machine learning approach. By understanding how the user typically acts and interacts with their peers and other organizations, Darktrace’s AI is able to identify anomalous behavior that indicates account takeover and impersonation.
Attack breakdown: Why traditional email security fails against vendor email compromise
In the emails, there was a link directing the user to a legitimate file storage site (‘canva.com’), which was being used to host a malicious payload. This tactic is commonly used by cyber-criminals to bypass legacy security gateways, because traditional gateways fail to defend against malicious file storage links using reputation checks, since the domains themselves are legitimate.
Darktrace / EMAIL, however, identified that this email did not belong and flagged the email as 100% anomalous. The figure below shows three of the malicious emails, and the scores assigned to them by Darktrace / EMAIL's machine learning. The top email is the supplier emailing the company legitimately, to warn of the compromised account. Despite arriving shortly after the malicious emails, the email was given only a 31% threat score, with no actions suggested. This proves just how valuable Darktrace / EMAIL is not only in stopping the bad emails, but also in accurately identifying benign emails – ensuring it does not interfere with legitimate communication.

Darktrace / EMAIL's action of choice was to hold the emails back from the inbox entirely, protecting the recipient from any potential solicitation or attempt to take communications to a less secure platform.
Why are supply chain email attacks increasing?
Supply chain email attacks are increasing because third parties can offer attackers an easier path into well-defended organizations. Security teams often have limited visibility into vendors’ environments, while emails from established suppliers are more likely to pass reputation-based checks. A single compromised account can therefore be used to target multiple downstream organizations through trusted business relationships.
These attacks are particularly attractive because compromising one supplier can give an attacker access to an established network of customers, partners and ongoing conversations. Rather than targeting each organization separately, the attacker can reuse the vendor’s trusted identity to distribute phishing emails at scale and make malicious requests appear consistent with normal business activity.
How to prevent vendor email compromise with AI-driven email security
Preventing vendor email compromise requires shifting focus away from domains and reputation, and toward how trusted senders actually behave. Attacks succeed because compromised accounts look legitimate, making traditional controls ineffective.
Security teams can reduce risk by monitoring behavioral changes in third-party communications, identifying anomalies in how vendors interact, and extending visibility across email, identity, and supply chain activity. This allows teams to detect compromised accounts earlier, before phishing spreads across trusted relationships.
How Darktrace / EMAIL detects vendor email compromise?
Vendor email compromise succeeds by making malicious messages look like trusted business communication. Darktrace / EMAIL uses Self-Learning AI to understand normal communication patterns across users, suppliers and business relationships, helping identify subtle changes in sender behavior, language, links and intent.
When a message appears anomalous, Darktrace can take targeted action against the threat while allowing legitimate supplier communications to continue uninterrupted.
Explore Darktrace’s EMAIL Solution Brief to learn how behavioral anomaly detection strengthens native email security and helps stop phishing, impersonation, account takeover and supply chain threats.













.avif)









