See how AI can assist human security teams and think logically to manage cyber incidents efficiently in situations where variables are fast-moving. Read more!
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Hanah Darley
Director of Threat Research
Share
19
Sep 2023
Within cyber security, crises are a regular occurrence. Whether due to the ever-changing tactics of threat actors or the emergence of new vulnerabilities, security teams find themselves under significant pressure and frequently find themselves in what psychologists term "crisis states."1
A crisis state refers to an internal state marked by confusion and anxiety to such an extent that previously effective coping mechanisms give way to ineffective decision-making and behaviors.2
Given the prevalence of crises in the field of cyber security, practitioners are more prone to consistently making illogical choices due to the intense pressure they experience. They also grapple with a constant influx of rapidly changing information, the need for swift decision-making, and the severe consequences of errors in judgment. They are often asked to assess hundreds of variables and uncertain factors.
The frequency of crisis states is expected to rise as generative AI empowers cyber criminals to accelerate the speed, scale, and sophistication of their attacks.
Why is it so challenging to operate effectively and efficiently during a crisis state? Several factors come into play.
Firstly, individuals are inclined to rely on their instincts, rendering them susceptible to cognitive biases. This makes it increasingly difficult to assimilate new information, process it appropriately, and arrive at logical decisions. Since crises strike unexpectedly and escalate rapidly into new unknowns, responders experience heightened stress, doubt and insecurity when deciding on a course of action.
These cognitive biases manifest in various forms. For instance, confirmation bias prompts people to seek out information that aligns with their pre-existing beliefs, while hindsight bias makes past events seem more predictable in light of present context and information.
Crises also have a profound impact on information processing and decision-making. People tend to simplify new information and often cling to the initial information they receive rather than opting for the most rational decision.
For instance, if an organization has successfully thwarted a ransomware attack in the past, a defender might assume that employing the same countermeasures will suffice for a subsequent attack. However, ransomware tactics are constantly evolving, and a subsequent attack could employ different strategies that evade the previous defenses. In a crisis state, individuals may revert to their prior strategy instead of adapting based on the latest information.
Given there are deeply embedded psychological tendencies and hard-wired decision-making processes leading to a reduction in logic during a crisis, humans need support from technology that does not suffer from the same limitations, particularly in the post-incident phase, where stress levels go into overdrive.
In the era of rapidly evolving novel attacks, security teams require a different approach: AI.
AI can serve as a valuable tool to augment human decision-making, from detection to incident response and mitigation. This is precisely why Darktrace introduced HEAL, which leverages self-learning AI to assist teams in increasing their cyber resilience and managing live incidents, helping to alleviate the cognitive burden they face.
Darktrace HEAL™ learns from your environment, including data points from real incidents and generates simulations to identify the most effective approach for remediation and restoring normal operations. This reduces the overwhelming influx of information and facilitates more effective decision-making during critical moments.
Furthermore, HEAL offers security teams the opportunity to safely simulate realistic attacks within their own environment. Using specific data points from the native environment, simulated incidents prepare security teams for a variety of circumstances which can be reviewed on a regular basis to encourage effective habit forming and reduce cognitive biases from a one-size-fits-all approach. This allows them to anticipate how attacks might unfold and better prepare themselves psychologically for potential real-world incidents.
With the right models and data, AI can significantly mitigate human bias by providing remediation recommendations grounded in evidence and providing proportionate responses based on empirical evidence rather than personal interpretations or instincts. It can act as a guiding light through the chaos of an attack, providing essential support to human security teams.
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Protecting the Experience: How a global hospitality brand stays resilient with Darktrace
For the Global Chief Technology Officer (CTO) of a leading experiential leisure provider, security is mission critical to protecting a business built on reputation, digital innovation, and guest experience. The company operates large-scale immersive venues across the UK and US, blending activity-driven hospitality with premium dining and vibrant spaces designed for hundreds of guests. With a lean, centrally managed IT team responsible for securing locations worldwide, the challenge is balancing robust cybersecurity with operational efficiency and customer experience.
Brand buzz attracts attention – and attacks
Mid-sized, fast-growing hospitality organizations face a unique risk profile. When systems go down in a venue, the impact is immediate: hundreds of disrupted guest experiences, lost revenue during peak hours, and potential long-term reputation damage. Each time the organization opened a new venue, the surge of marketing buzz attracted attention in local markets and waves of sophisticated cyberattacks, including:
Phishing campaigns leveraging brand momentum to lure employees into clicking on malicious links.
AI-enhanced impersonation using advanced techniques to create AI-generated video calls and deep-researched, contextualized emails
Fake domains targeting leadership with AI-generated messages that contained insider context gleaned from public information.
“Our endpoint security and antivirus tools were powerless against these sophisticated AI-powered campaigns. We didn’t want to manage incidents anymore. We wanted to prevent them from ever happening.” - Global CTO
Proactive, preventative security with Darktrace AI
The company’s cybersecurity vision was clear: “Proactive, preventative – that was our mandate,” said the CTO. With a lean and busy IT group, the business evaluated several security solutions using deep-dive workshops. Darktrace proved the best fit for supporting the organization’s proactive mindset, offering:
Autonomy without added headcount: Darktrace provided powerful AI-driven detection and autonomous response functions with minimal manual oversight required.
Modular adoption: The company could start with core email and network protection and expand into cloud and endpoint coverage, aligning spend with growth.
Partnership and responsiveness: “We wanted people we trust, respect, and know will show up when we need them. Darktrace did just that,” said the CTO.
Affordability at scale: Darktrace offered reasonable upfront costs plus predictable, sustainable economics as the company and IT infrastructure expanded.
“The combination of AI capabilities, a scalable model, and a strong engagement team tipped the balance in Darktrace’s favor, and we have not been disappointed,” said the CTO.
Phased deployment builds trust
To minimize disruption to critical hospitality systems like global Point of Sales (POS) terminals and Audio-Visual (AV) infrastructure, deployment was phased:
Observation and human-led response: Initially, Darktrace was deployed in detection-only mode. Alerts were manually reviewed.
Incremental autonomous response: Darktrace Autonomous Response was enabled on select models, taking action on low-risk scenarios. Higher-risk subnets and devices remained under human control.
Full autonomous coverage: With tuning and reinforcement, autonomous response was expanded across domains, trusted to take decisive action in real time. Analysts retained the ability to review and contextualize incidents.
“Darktrace managed the rollout through detailed, professional, and responsive project management – ensuring a smooth, successful adoption and creating a standardized cybersecurity playbook for future venue launches,” said the CTO.
AI delivers the outcomes that matter
Measurable efficiency replaces endless alerts
Darktrace autonomous response significantly decreased false alerts and noise. “If it’s quiet, we’re confident there isn’t a problem,” said the CTO. Within six months, Darktrace conducted 3,599 total investigations, detected and contained 320 incidents indicative of an attack, resolved 91% of those events autonomously, and escalated only 9% to human analysts. The efficiency gains were enormous, saving analysts 740 hours on investigations within a single month.
Precision AI turns inbox chaos into calm
Darktrace Self-Learning AI modeled sender/recipient norms, content/linguistic baselines, and communication patterns unique to the organization’s launch cadence, resulting in:
Automated holds and neutralizations of anomalous executive-style messages
Rapid detection of novel templates and tone shifts that deviated from the organization’s lived email graph, even when indicators were not yet on any feed
Downstream reduction in help-desk escalations tied to suspicious email
Full visibility fuels real-time response
Darktrace gives IT direct visibility without extra licensing, and it surfaces ground truth across every venue, including:
Device geolocation and placement drift: Darktrace exposed devices and users operating outside approved zones, prompting new segmentation and access-control policies.
Guest Wi-Fi realities: Darktrace AI uncovered high-risk activity on guest networks, like crypto-mining and dark-web traffic, driving stricter VLAN separation and access hygiene.
Lateral-movement containment: Autonomous response fenced suspicious activity in real time, buying time for human investigation while keeping POS and AV systems unaffected.
Smarter endpoints for a smarter network
Endpoints once relied on static agents effective only against known signatures. Darktrace’s behavioral models now detect subtle anomalies at the endpoint process level that EDRs often miss, such as misuse of legitimate applications (commonly used in living-off-the-land attacks), unapproved application usage and policy violations. This increases the accuracy and fidelity of network-based investigations by adding endpoint process context alongside existing EDR alerts.
Autonomous response for continuous compliance
Across PCI, GDPR, and cross-border privacy obligations, Darktrace’s native evidencing is helping the team demonstrate control rather than merely assert it:
Asset and flow awareness: Knowing “what is where” and “who talks to what” underpins PCI scoping and data-flow diagrams.
Layered safeguards: Showing autonomous prevention, network segmentation, and rapid containment supports risk registers and control attestations.
Audit-ready artifacts: Investigations and autonomous actions produce artifacts that “tick the box” without additional tooling.
Defining the next era of resilience with AI
With rapid global expansion underway, the company is using its cybersecurity playbook to streamline and secure future venue launches. In the near term, IT is focused on strengthening prevention, using Darktrace insights to guide new policy updates and infrastructure changes like imposing stricter guest-network posture and refining venue device baselines.
For tech leaders charting their path to proactive cyber defense, the CTO stresses success won’t come from sidestepping AI, but from turning it into a core capability.
“AI isn’t optional – it’s operational. The real risk to your business is trying to out-scale automated adversaries with human speed alone. When applied to the right use case, AI becomes a catalyst for efficiency, resilience, and business growth.” - Global CTO
From Amazon to Louis Vuitton: How Darktrace Detects Black Friday Phishing Attacks
Why Black Friday Drives a Surge in Phishing Attacks
In recent years, Black Friday has shifted from a single day of online retail sales and discounts to an extended ‘Black Friday Week’, often preceded by weeks of online hype. During this period, consumers are inundated with promotional emails and marketing campaigns as legitimate retailers compete for attention.
Unsurprisingly, this surge in legitimate communications creates an ideal environment for threat actors to launch targeted phishing campaigns designed to mimic legitimate retail emails. These campaigns often employ social engineering techniques that exploit urgency, exclusivity, and consumer trust in well-known brands, tactics designed to entice recipients into opening emails and clicking on malicious links.
Additionally, given the seasonal nature of Black Friday and the ever-changing habits of consumers, attackers adopt new tactics and register fresh domains each year, rather than reusing domains previously flagged as spam or phishing endpoints. While this may pose a challenge for traditional email security tools, it presents no such difficulty for Darktrace / EMAIL and its anomaly-based approach.
In the days and weeks leading up to ‘Black Friday’, Darktrace observed a spike in sophisticated phishing campaigns targeting consumers, demonstrating how attackers combine phycological manipulation with technical evasion to bypass basic security checks during this high-traffic period. This blog showcases several notable examples of highly convincing phishing emails detected and contained by Darktrace / EMAIL in mid to late November 2025.
Darktrace’s Black Friday Detections
Brand Impersonation: Deal Watchdogs’ Amazon Deals
The impersonation major online retailers has become a common tactic in retail-focused attacks, none more so than Amazon, which ranked as the fourth most impersonated brand in 2024, only behind Microsoft, Apple, Google, and Facebook [1]. Darktrace’s own research found Amazon to be the most mimicked brand, making up 80% of phishing attacks in its analysis of global consumer brands.
When faced with an email that appears to come from a trusted sender like Amazon, recipients are far more likely to engage, increasing the success rate of these phishing campaigns.
In one case observed on November 16, Darktrace detected an email with the subject line “NOW LIVE: Amazon’s Best Early Black Friday Deals on Gadgets Under $60”. The email was sent to a customer by the sender ‘Deal Watchdogs’, in what appeared to be an attempt to masquerade as a legitimate discount-finding platform. No evidence indicated that the company was legitimate. In fact, the threat actor made no attempt to create a convincing name, and the domain appeared to be generated by a domain generation algorithm (DGA), as shown in Figure 2.
Although the email was sent by ‘Deal Watchdogs’, it attempted to impersonate Amazon by featuring realistic branding, including the Amazon logo and a shade of orange similar to that used by them for the ‘CLICK HERE’ button and headline text.
Figure 1: The contents of the email observed by Darktrace, featuring authentic-looking Amazon branding.
Darktrace identified that the email, marked as urgent by the sender, contained a suspicious link to a Google storage endpoint (storage.googleapis[.]com), which had been hidden by the text “CLICK HERE”. If clicked, the link could have led to a credential harvester or served as a delivery vector for a malicious payload hosted on the Google storage platform.
Fortunately, Darktrace immediately identified the suspicious nature of this email and held it before delivery, preventing recipients from ever receiving or interacting with the malicious content.
Figure 2: Darktrace / EMAIL’s detection of the malicious phishing email sent to a customer.
Around the same time, Darktrace detected a similar email attempting to spoof Amazon on another customer’s network with the subject line “Our 10 Favorite Deals on Amazon That Started Today”, also sent by ‘Deal Watchdogs,’ suggesting a broader campaign.
Analysis revealed that this email originated from the domain petplatz[.]com, a fake marketing domain previously linked to spam activity according to open-source intelligence (OSINT) [2].
Brand Impersonation: Louis Vuitton
A few days later, on November 20, Darktrace / EMAIL detected a phishing email attempting to impersonate the luxury fashion brand Louis Vuitton. At first glance, the email, sent under the name ‘Louis Vuitton’ and titled “[Black Friday 2025] Discover Your New Favorite Louis Vuitton Bag – Elegance Starts Here”, appeared to be a legitimate Black Friday promotion. However, Darktrace’s analysis uncovered several red flags indicating a elaborate brand impersonation attempt.
The email was not sent by Louis Vuitton but by rskkqxyu@bookaaatop[.]ru, a Russia-based domain never before observed on the customer’s network. Darktrace flagged this as suspicious, noting that .ru domains were highly unusual for this recipient’s environment, further reinforcing the likelihood of malicious intent. Subsequent analysis revealed that the domain had only recently registered and was flagged as malicious by multiple OSINT sources [3].
Figure 3: Darktrace / EMAIL’s detection of the malicious email attempting to spoofLouis Vuitton, originating from a suspicious Russia-based domain.
Darktrace further noted that the email contained a highly suspicious link hidden behind the text “View Collection” and “Unsubscribe,” ensuring that any interaction, whether visiting the supposed ‘handbag store’ or attempting to opt out of marketing emails, would direct recipients to the same endpoint. The link resolved to xn--80aaae9btead2a[.]xn--p1ai (топааабоок[.]рф), a domain confirmed as malicious by multiple OSINT sources [4]. At the time of analysis, the domain was inaccessible, likely due to takedown efforts or the short-lived nature of the campaign.
Darktrace / EMAIL blocked this email before it reached customer inboxes, preventing recipients from interacting with the malicious content and averting any disruption.
Figure 4: The suspicious domain linked in the Louis Vuitton phishing email, now defunct.
Too good to be true?
Aside from spoofing well-known brands, threat actors frequently lure consumers with “too good to be true” luxury offers, a trend Darktrace observed in multiple cases throughout November.
In one instance, Darktrace identified an email with the subject line “[Black Friday 2025] Luxury Watches Starting at $250.” Emails contained a malicious phishing link, hidden behind text like “Rolex Starting from $250”, “Shop Now”, and “Unsubscribe”.
Figure 5: Example of a phishing email detected by Darktrace, containing malicious links concealed behind seemingly innocuous text.
Similarly to the Louis Vuitton email campaign described above, this malicious link led to a .ru domain (hxxps://x.wwwtopsalebooks[.]ru/.../d65fg4er[.]html), which had been flagged as malicious by multiple sources [5].
Figure 6: Darktrace / EMAIL’s detection of a malicious email promoting a fake luxury watch store, which was successfully held from recipient inboxes.
If accessed, this domain would redirect users to luxy-rox[.]com, a recently created domain (15 days old at the time of writing) that has also been flagged as malicious by OSINT sources [6]. When visited, the redirect domain displayed a convincing storefront advertising high-end watches at heavily discounted prices.
Figure 7: The fake storefront presented upon visiting the redirectdomain, luxy-rox[.]com.
Although the true intent of this domain could not be confirmed, it was likely a scam site or a credential-harvesting operation, as users were required to create an account to complete a purchase. As of the time or writing, the domain in no longer accessible .
This email illustrates a layered evasion tactic: attackers employed multiple domains, rapid domain registration, and concealed redirects to bypass detection. By leveraging luxury branding and urgency-driven discounts, the campaign sought to exploit seasonal shopping behaviors and entice victims into clicking.
Staying Protected During Seasonal Retail Scams
The investigation into these Black Friday-themed phishing emails highlights a clear trend: attackers are exploiting seasonal shopping events with highly convincing campaigns. Common tactics observed include brand impersonation (Amazon, Louis Vuitton, luxury watch brands), urgency-driven subject lines, and hidden malicious links often hosted on newly registered domains or cloud services.
These campaigns frequently use redirect chains, short-lived infrastructure, and psychological hooks like exclusivity and luxury appeal to bypass user scepticism and security filters. Organizations should remain vigilant during retail-heavy periods, reinforcing user awareness training, link inspection practices, and anomaly-based detection to mitigate these evolving threats.
Credit to Ryan Traill (Analyst Content Lead) and Owen Finn (Cyber Analyst)
