Blog
/
Email
/
December 4, 2024

Phishing Attacks Surge Over 600% in the Buildup to Black Friday

Black Friday and Cyber Monday are prime targets for cyber-attacks, as consumer spending rises and threat actors flock to take advantage. Darktrace analysis reveals a surge in retail cyber scams at the opening of the peak 2024 shopping period, and the top brands that scammers love to impersonate. Plus, don’t forget to check out our top tips for holiday-proofing your SOC before you clock off for the festive season.
Written by
Nathaniel Jones
VP, Security & AI Strategy, Field CISO
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Nathaniel Jones
VP, Security & AI Strategy, Field CISO
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
04
Dec 2024

Defenders are accustomed now to an uptick in cyber-attacks around the holiday period. The festive shopping season creates ideal conditions for cybercriminals. Consumers are inundated with time-sensitive deals, while retailers handle record-breaking transaction volumes at speed. This environment makes it harder than ever to identify suspicious activity.

An investigation conducted by Darktrace’s global analyst team revealed that Christmas-themed phishing attacks leapt 327%1 around the world and Black Friday and Cyber Monday themed phishing attacks soared to 692% last week compared to the beginning of November2 (4th - 9th November), as threat actors seek to take advantage of the busy holiday shopping period.

The United States retail sector saw the most marked increase in threat actors crafting convincing emails purporting to be from well-known brands, mimicking promotional emails. Attacks designed to look like they came from major brands including Walmart – which was easily the most mimicked US brand – Macy’s, Target, Old Navy, and Best Buy3 increased by more than 2000% during peak shopping periods.

Darktrace analysis also highlighted a redistribution of scammers’ resources to take advantage of the festive shopping season, moving from targeting businesses to consumers. The impersonation of major consumer brands, dominated by Amazon and PayPal4, increased by 92% globally between analyzed periods, while the spoofing of workplace-focused brands, like Adobe, Zoom and LinkedIn, decreased by 9%.

Major retail brands invest heavily in safeguarding themselves and their customers from scams and cyberattacks, particularly during the holiday season. However, phishing and website spoofing occur outside the retailers' legitimate infrastructure and security controls, making it difficult to catch and prevent every instance due to their sheer volume. While advancements like AI are helping security teams narrow the gap, brand impersonation remains a persistent challenge.

Multiple attack methods exploit trust during holiday rush

Darktrace’s findings demonstrate some of the most common brand spoofing strategies used by attackers during the holiday season:

Domain spoofing, which sees attackers create near perfect replicas of retail websites, complete with lookalike domain names and branding, to trick consumers into handing over personal and payment details.  

Brand spoofing, where attackers send a phishing email designed to look like a favorite retailer, enticing their target to click a link for a discount, when in fact the link downloads malware to their device.  

Safelink smuggling, which involves an attacker intentionally getting their malicious payload rewritten by a security solution’s Safelink capability to then propagate the rewritten URL to others. This not only evades detection but also undermines trust in email security tools. Darktrace observed over 300,000 cases of Safelinks being included in unexpected and suspicious contexts over a period of 3 months.

Multi-stage attacks which combine these tactics into a single attack: brand spoofing emails lead unsuspecting shoppers directly to domain spoofed websites that harvest login or payment details, creating a seamless deception that hands personal and financial data directly to attackers. This coordinated approach exploits the chaos of holiday sales, when shoppers are primed to expect high volumes of retail emails and website traffic promoting significant savings.

A spike in cyber-criminal activity which extends beyond email

While email often serves as the front door to an organization and the initial avenue of attack, Darktrace frequently observes a surge in cyber-attacks during public holidays5. These “off-peak” attacks exploit common organizational practices and human vulnerabilities with greater ease.

When staff numbers are reduced, and employees mentally and physically disconnect from work, the speed of detection and response has the potential to slow. This creates opportunities for threat actors to infiltrate undetected. Without real-time autonomous systems in place, such attacks can have a far more severe impact on an organization’s ability to respond and recover effectively.

Ransomware is among the most common threats targeting organizations after hours. In 76% of cases, the encryption process begins during off-hours or on weekends6. For instance, Darktrace identified a ransomware attack launched in the early hours of Christmas Day on a client’s network, taking advantage of the period when most employees were offline.

Festive cheer: giving your SOC team the break they deserve

Staff burnout is increasingly top of mind, with 74% of cybersecurity leaders reporting that they’ve had employees resign due to stress7. And the numbers stack up – almost 60% of security analysts report feeling burnt out, and many are choosing to leave their jobs and even security altogether.8

At a human level, the holiday season should be a time of relaxation and merriment rather than anxiety. For SOC leaders, giving teams time to prioritize recharging during the holidays is crucial for sustaining long-term resilience and productivity, balanced with the importance of maintaining rigorous defenses with a reduced workforce.  

So… how can cybersecurity leaders ensure peace of mind during the holidays?

Step 1: Cover yourself from every angle. It’s no longer enough for your email solution to only catch known threats. Security leaders need to invest in multi-layered email defenses that can combat novel and advanced attacks – such as the multi-stage brand personation attacks that lead shoppers to domain-spoofed websites.  

Darktrace / EMAIL – the fastest growing email security solution – has been proven to detect up to 56% more threats than other email solutions.9  It is uniquely capable of catching novel attacks on the first encounter, rather than waiting the 13 days it takes for other solutions to take action10 – by which time your decorations might be coming down, along with your business.

Step 2: Avoid an overwhelming deluge of alerts raining (or snowing) down on your L1 SOC analysts. Lining up people to manage the grunt work over the holidays is an easy pattern to fall into, but consider technology that can automate that initial triage. For example, Darktrace’s Cyber AI Analyst automatically investigates every alert detected by Darktrace’s core real-time detection engine. It does an additional layer of AI analysis – establishing whether an alert is unusual but benign, or part of a more serious security incident. Rather than looking at hundreds of alerts, your team is presented with just a handful of overall incidents. They can use that new free time to do more strategic work, or take some much-needed time off.

Step 3: Make sure someone – or something – is keeping guard in those super off-peak hours. Enter Autonomous Response. Because it knows what normal looks like for your business it can take action to stop and contain only the unusual and threatening activity. Even if it doesn’t eliminate the threat entirely, it can buy your security team time and space, allowing them to enjoy their holiday in peace.

With Black Friday over and the festive shopping period looming, businesses should act now to protect their brand and ensure they have the cybersecurity measures are in place to enjoy the gift of a stress-free holiday season.  

Interested in how AI-driven email security can protect your organization? Check out the product hub to learn more. Or watch the demo video to see Darktrace / EMAIL in action.

References

[1] Based on analysis of 626 customer deployments and attempted phishing emails mentioning Christmas that were detected by Darktrace / EMAIL.

[2] Emails in the analysis mentioning ‘Black Friday’ or ‘Cyber Monday’.

[3] Walmart, Target, Best Buy, Macy's, Old Navy, 1800-Flowers

[4] Amazon, eBay, Netflix, Alibaba, Paypal, Apple

[5] In 2021, Darktrace observed a 70% average increase in attempted ransomware attacks in November and December compared to January and February. (Darktrace Press Release, 2021)

[6] https://www.zdnet.com/article/most-ransomware-attacks-take-place-during-the-night-or-the-weekend

[7] https://www.scworld.com/perspective/ciso-stress-levels-are-out-of-control

[8] https://www.informationweek.com/cyber-resilience/the-psychology-of-cybersecurity-burnout

[9] 56% of malicious phishing emails detected and analyzed across Darktrace / EMAIL customer deployments from December 2023 – July 2024 passed through all existing security layers. (Darktrace Half Year Report 2024)

[10] 13 days mean average of phishing payloads active in the wild between the response of Darktrace / EMAIL compared to the earliest of 16 independent feeds submitted by other email security technologies. (Darktrace Press Release, 2023)

Written by
Nathaniel Jones
VP, Security & AI Strategy, Field CISO
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Nathaniel Jones
VP, Security & AI Strategy, Field CISO

React2Shell Reflections: Cloud Insights, Finance Sector Impacts, and How Threat Actors Moved So Quickly

January 14, 2026
Nathaniel Jones
VP, Security & AI Strategy, Field CISO
Watch the NIS2 Webinar
Trending blogs
1
Securing Generative AI: Managing Risk in Amazon Bedrock with Darktrace / CLOUD
Nov 19, 2025
2
How Empowering End Users can Improve Your Email Security and Decrease the Burden on the SOC
May 8, 2024
3
Elevating Network Security: Confronting Trust, Ransomware, & Novel Attacks
Jun 21, 2024
4
The State of AI in Cybersecurity: Unveiling Global Insights from 1,800 Security Practitioners
Apr 9, 2024
5
The State of AI in Cybersecurity: The Impact of AI on Cybersecurity Solutions
May 13, 2024

More in this series

No items found.
Continue reading
Email
December 18, 2025

Why Organizations are Moving to Label-free, Behavioral DLP for Outbound Email

Modern data loss doesn’t always look like a regex match. It can look like everyday communication slightly out of context. Here’s how a domain specific language model paired with behavioral learning protects labeled and unlabeled data without slowing business down.
Carlos Gray
Senior Product Marketing Manager, Email
Read more
Email
December 15, 2025

Beyond MFA: Detecting Adversary-in-the-Middle Attacks and Phishing with Darktrace

During a customer trial of Darktrace / EMAIL and Darktrace / IDENTITY, Darktrace detected an adversary-in-the-middle (AiTM) attack that compromised a user’s Office 365 account via a business email compromise (BEC) phishing email. Following the breach, the compromised account was used to launch both internal and external phishing campaigns.
Read more
Email
December 4, 2025

How Darktrace is ending email security silos with new capabilities in cross-domain detection, DLP, and native Microsoft integrations

Darktrace is delivering a major evolution in email security, uniting true AI-powered cross-domain detection, label-free behavioral DLP, and Microsoft-native automation – to catch the 17% of threats that SEGs miss.
Carlos Gray
Senior Product Marketing Manager, Email
Read more

Blog

/

/

January 14, 2026

React2Shell Reflections: Cloud Insights, Finance Sector Impacts, and How Threat Actors Moved So Quickly

React2Shell Default blog imageDefault blog image

Introduction

Last month’s disclosure of CVE 2025-55812, known as React2Shell, provided a reminder of how quickly modern threat actors can operationalize newly disclosed vulnerabilities, particularly in cloud-hosted environments.

The vulnerability was discovered on December 3, 2025, with a patch made available on the same day. Within 30 hours of the patch, a publicly available proof-of-concept emerged that could be used to exploit any vulnerable server. This short timeline meant many systems remained unpatched when attackers began actively exploiting the vulnerability.  

Darktrace researchers rapidly deployed a new honeypot to monitor exploitation of CVE 2025-55812 in the wild.

Within two minutes of deployment, Darktrace observed opportunistic attackers exploiting this unauthenticated remote code execution flaw in React Server Components, leveraging a single crafted request to gain control of exposed Next.js servers. Exploitation quickly progressed from reconnaissance to scripted payload delivery, HTTP beaconing, and cryptomining, underscoring how automation and pre‑positioned infrastructure by threat actors now compress the window between disclosure and active exploitation to mere hours.

For cloud‑native organizations, particularly those in the financial sector, where Darktrace observed the greatest impact, React2Shell highlights the growing disconnect between patch availability and attacker timelines, increasing the likelihood that even short delays in remediation can result in real‑world compromise.

Cloud insights

In contrast to traditional enterprise networks built around layered controls, cloud architectures are often intentionally internet-accessible by default. When vulnerabilities emerge in common application frameworks such as React and Next.js, attackers face minimal friction.  No phishing campaign, no credential theft, and no lateral movement are required; only an exposed service and exploitable condition.

The activity Darktrace observed during the React2shell intrusions reflects techniques that are familiar yet highly effective in cloud-based attacks. Attackers quickly pivot from an exposed internet-facing application to abusing the underlying cloud infrastructure, using automated exploitation to deploy secondary payloads at scale and ultimately act on their objectives, whether monetizing access through cryptomining or to burying themselves deeper in the environment for sustained persistence.

Cloud Case Study

In one incident, opportunistic attackers rapidly exploited an internet-facing Azure virtual machine (VM) running a Next.js application, abusing the React/next.js vulnerability to gain remote command execution within hours of the service becoming exposed. The compromise resulted in the staged deployment of a Go-based remote access trojan (RAT), followed by a series of cryptomining payloads such as XMrig.

Initial Access

Initial access appears to have originated from abused virtual private network (VPN) infrastructure, with the source IP (146.70.192[.]180) later identified as being associated with Surfshark

The IP address above is associated with VPN abuse leveraged for initial exploitation via Surfshark infrastructure.
Figure 1: The IP address above is associated with VPN abuse leveraged for initial exploitation via Surfshark infrastructure.

The use of commercial VPN exit nodes reflects a wider trend of opportunistic attackers leveraging low‑cost infrastructure to gain rapid, anonymous access.

Parent process telemetry later confirmed execution originated from the Next.js server, strongly indicating application-layer compromise rather than SSH brute force, misused credentials, or management-plane abuse.

Payload execution

Shortly after successful exploitation, Darktrace identified a suspicious file and subsequent execution. One of the first payloads retrieved was a binary masquerading as “vim”, a naming convention commonly used to evade casual inspection in Linux environments. This directly ties the payload execution to the compromised Next.js application process, reinforcing the hypothesis of exploit-driven access.

Command-and-Control (C2)

Network flow logs revealed outbound connections back to the same external IP involved in the inbound activity. From a defensive perspective, this pattern is significant as web servers typically receive inbound requests, and any persistent outbound callbacks — especially to the same IP — indicate likely post-exploitation control. In this case, a C2 detection model alert was raised approximately 90 minutes after the first indicators, reflecting the time required for sufficient behavioral evidence to confirm beaconing rather than benign application traffic.

Cryptominers deployment and re-exploitation

Following successful command execution within the compromised Next.js workload, the attackers rapidly transitioned to monetization by deploying cryptomining payloads. Microsoft Defender observed a shell command designed to fetch and execute a binary named “x” via either curl or wget, ensuring successful delivery regardless of which tooling was availability on the Azure VM.

The binary was written to /home/wasiluser/dashboard/x and subsequently executed, with open-source intelligence (OSINT) enrichment strongly suggesting it was a cryptominer consistent with XMRig‑style tooling. Later the same day, additional activity revealed the host downloading a static XMRig binary directly from GitHub and placing it in a hidden cache directory (/home/wasiluser/.cache/.sys/).

The use of trusted infrastructure and legitimate open‑source tooling indicates an opportunistic approach focused on reliability and speed. The repeated deployment of cryptominers strongly suggests re‑exploitation of the same vulnerable web application rather than reliance on traditional persistence mechanisms. This behavior is characteristic of cloud‑focused attacks, where publicly exposed workloads can be repeatedly compromised at scale more easily.

Financial sector spotlight

During the mass exploitation of React2Shell, Darktrace observed targeting by likely North Korean affiliated actors focused on financial organizations in the United Kingdom, Sweden, Spain, Portugal, Nigeria, Kenya, Qatar, and Chile.

The targeting of the financial sector is not unexpected, but the emergence of new Democratic People’s Republic of Korea (DPRK) tooling, including a Beavertail variant and EtherRat, a previously undocumented Linux implant, highlights the need for updated rules and signatures for organizations that rely on them.

EtherRAT uses Ethereum smart contracts for C2 resolution, polling every 500 milliseconds and employing five persistence mechanisms. It downloads its own Node.js runtime from nodejs[.]org and queries nine Ethereum RPC endpoints in parallel, selecting the majority response to determine its C2 URL. EtherRAT also overlaps with the Contagious Interview campaign, which has targeted blockchain developers since early 2025.

Read more finance‑sector insights in Darktrace’s white paper, The State of Cyber Security in the Finance Sector.

Threat actor behavior and speed

Darktrace’s honeypot was exploited just two minutes after coming online, demonstrating how automated scanning, pre-positioned infrastructure and staging, and C2 infrastructure traced back to “bulletproof” hosting reflects a mature, well‑resourced operational chain.

For financial organizations, particularly those operating cloud‑native platforms, digital asset services, or internet‑facing APIs, this activity demonstrates how rapidly geopolitical threat actors can weaponize newly disclosed vulnerabilities, turning short patching delays into strategic opportunities for long‑term access and financial gain. This underscores the need for a behavioral-anomaly-led security posture.

Credit to Nathaniel Jones (VP, Security & AI Strategy, Field CISO)

Edited by Ryan Traill (Analyst Content Lead)

Appendices

Indicators of Compromise (IoCs)

146.70.192[.]180 – IP Address – Endpoint Associated with Surfshark

References

https://www.darktrace.com/resources/the-state-of-cybersecurity-in-the-finance-sector

Continue reading
About the author
Nathaniel Jones
VP, Security & AI Strategy, Field CISO

Blog

/

/

January 13, 2026

Runtime Is Where Cloud Security Really Counts: The Importance of Detection, Forensics and Real-Time Architecture Awareness

runtime, cloud security, cnaapDefault blog imageDefault blog image

Introduction: Shifting focus from prevention to runtime

Cloud security has spent the last decade focused on prevention; tightening configurations, scanning for vulnerabilities, and enforcing best practices through Cloud Native Application Protection Platforms (CNAPP). These capabilities remain essential, but they are not where cloud attacks happen.

Attacks happen at runtime: the dynamic, ephemeral, constantly changing execution layer where applications run, permissions are granted, identities act, and workloads communicate. This is also the layer where defenders traditionally have the least visibility and the least time to respond.

Today’s threat landscape demands a fundamental shift. Reducing cloud risk now requires moving beyond static posture and CNAPP only approaches and embracing realtime behavioral detection across workloads and identities, paired with the ability to automatically preserve forensic evidence. Defenders need a continuous, real-time understanding of what “normal” looks like in their cloud environments, and AI capable of processing massive data streams to surface deviations that signal emerging attacker behavior.

Runtime: The layer where attacks happen

Runtime is the cloud in motion — containers starting and stopping, serverless functions being called, IAM roles being assumed, workloads auto scaling, and data flowing across hundreds of services. It’s also where attackers:

  • Weaponize stolen credentials
  • Escalate privileges
  • Pivot programmatically
  • Deploy malicious compute
  • Manipulate or exfiltrate data

The challenge is complex: runtime evidence is ephemeral. Containers vanish; critical process data disappears in seconds. By the time a human analyst begins investigating, the detail required to understand and respond to the alert, often is already gone. This volatility makes runtime the hardest layer to monitor, and the most important one to secure.

What Darktrace / CLOUD Brings to Runtime Defence

Darktrace / CLOUD is purpose-built for the cloud execution layer. It unifies the capabilities required to detect, contain, and understand attacks as they unfold, not hours or days later. Four elements define its value:

1. Behavioral, real-time detection

The platform learns normal activity across cloud services, identities, workloads, and data flows, then surfaces anomalies that signify real attacker behavior, even when no signature exists.

2. Automated forensic level artifact collection

The moment Darktrace detects a threat, it can automatically capture volatile forensic evidence; disk state, memory, logs, and process context, including from ephemeral resources. This preserves the truth of what happened before workloads terminate and evidence disappears.

3. AI-led investigation

Cyber AI Analyst assembles cloud behaviors into a coherent incident story, correlating identity activity, network flows, and Cloud workload behavior. Analysts no longer need to pivot across dashboards or reconstruct timelines manually.

4. Live architectural awareness

Darktrace continuously maps your cloud environment as it operates; including services, identities, connectivity, and data pathways. This real-time visibility makes anomalies clearer and investigations dramatically faster.

Together, these capabilities form a runtime-first security model.

Why CNAPP alone isn’t enough

CNAPP platforms excel at pre deployment checks all the way down to developer workstations, identifying misconfigurations, concerning permission combinations, vulnerable images, and risky infrastructure choices. But CNAPP’s breadth is also its limitation. CNAPP is about posture. Runtime defense is about behavior.

CNAPP tells you what could go wrong; runtime detection highlights what is going wrong right now.

It cannot preserve ephemeral evidence, correlate active behaviors across domains, or contain unfolding attacks with the precision and speed required during a real incident. Prevention remains essential, but prevention alone cannot stop an attacker who is already operating inside your cloud environment.

Real-world AWS Scenario: Why Runtime Monitoring Wins

A recent incident detected by Darktrace / CLOUD highlights how cloud compromises unfold, and why runtime visibility is non-negotiable. Each step below reflects detections that occur only when monitoring behavior in real time.

1. External Credential Use

Detection: Unusual external source for credential use: An attacker logs into a cloud account from a never-before-seen location, the earliest sign of account takeover.

2. AWS CLI Pivot

Detection: Unusual CLI activity: The attacker switches to programmatic access, issuing commands from a suspicious host to gain automation and stealth.

3. Credential Manipulation

Detection: Rare password reset: They reset or assign new passwords to establish persistence and bypass existing security controls.

4. Cloud Reconnaissance

Detection: Burst of resource discovery: The attacker enumerates buckets, roles, and services to map high value assets and plan next steps.

5. Privilege Escalation

Detection: Anomalous IAM update: Unauthorized policy updates or role changes grant the attacker elevated access or a backdoor.

6. Malicious Compute Deployment

Detection: Unusual EC2/Lambda/ECS creation: The attacker deploys compute resources for mining, lateral movement, or staging further tools.

7. Data Access or Tampering

Detection: Unusual S3 modifications: They alter S3 permissions or objects, often a prelude to data exfiltration or corruption.

Only some of these actions would appear in a posture scan, crucially after the fact.
Every one of these runtime detections is visible only through real-time behavioral monitoring while the attack is in progress.

The future of cloud security Is runtime-first

Cloud defense can no longer revolve solely around prevention. Modern attacks unfold in runtime, across a fast-changing mesh of workloads, services, and — critically — identities. To reduce risk, organizations must be able to detect, understand, and contain malicious activity as it happens, before ephemeral evidence disappears and before attacker's pivot across identity layers.

Darktrace / CLOUD delivers this shift by turning runtime, the most volatile and consequential layer in the cloud, into a fully defensible control point through unified visibility across behavior, workloads, and identities. It does this by providing:

  • Real-time behavior detection across workloads and identity activity
  • Autonomous response actions for rapid containment
  • Automated forensic level artifact preservation the moment events occur
  • AI-driven investigation that separates weak signals from true attacker patterns
  • Live cloud environment insight to understand context and impact instantly

Cloud security must evolve from securing what might go wrong to continuously understanding what is happening; in runtime, across identities, and at the speed attackers operate. Unifying runtime and identity visibility is how defenders regain the advantage.

[related-resource]

Continue reading
About the author
Adam Stevens
Senior Director of Product, Cloud | Darktrace
Your data. Our AI.
Elevate your network security with Darktrace AI