ブログ
/
Email
/
July 6, 2023

How Darktrace Foiled QR Code Phishing

Explore Darktrace's successful detection of QR code phishing. Understand the methods used to thwart these sophisticated cyber threats.
Written by
Alexandra Sentenac
Cyber Analyst
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Alexandra Sentenac
Cyber Analyst
Default blog image
06
Jul 2023

What is a QR Code?

Invented by a Japanese company in 1994 to label automobile parts, Quick Response codes, best known as QR codes, are rapidly becoming ubiquitous everywhere in the world. Their design, inspired by the board and black and white pieces of the game of Go, permits the storage of more information than regular barcodes and to access that information more quickly. The COVID-19 pandemic contributed to their increased popularity as it conveniently replaced physical media of all types for the purpose of content sharing. It is now common to see them in restaurant menus, plane tickets, advertisements and even in stickers containing minimal to no text pasted on lamp posts and other surfaces, enticing passers-by to scan its content. 

QR Code Phishing Attacks (Quishing)

Recently, threat actors have been identified using QR codes too to embed malicious URLs leading the unsuspecting user to compromised websites containing malware or designed to harvest credentials. In the past month, Darktrace has observed an increase in the number of phishing emails leveraging malicious QR codes for malware distribution and/or credential harvesting, a new form of social engineering attack labelled “Quishing” (i.e., QR code phishing).

Between June 13 and June 22, 2023, Darktrace protected a tech company against one such Quishing attack when five of its senior employees were sent malicious emails impersonating the company’s IT department. The emails contained a QR code that led to a login page designed to harvest the credentials of these senior staff members. Fortunately for the customer, Darktrace / EMAIL thwarted this phishing campaign in the first instance and the emails never reached the employee inboxes. 

Trends in Quishing Attacks

The Darktrace/Email team have noticed a recent and rapid increase in QR code abuse, suggesting that it is a growing tactic used by threat actors to deliver malicious payload links. This trend has also been observed by other security solutions [1] [2] [3] [4]. The Darktrace/Email team has identified malicious emails abusing QR codes in multiple ways. Examples include embedded image links which load a QR code and QR code images being delivered as attachments, such as those explored in this case study. Darktrace/Email is continually refining its detection of malicious QR codes and QR code extraction capabilities so that it can detect and block them regardless of their size and location within the email.   

Quishing Attack Overview

The attack consisted of five emails, each sent from different sender and envelope addresses, displayed common points between them. The emails all conveyed a sense of urgency, either via the use of words such as “urgent”, “now”, “required” or “important” in the subject field or by marking the email as high priority, thus making the recipient believe the message is pressing and requires immediate attention. 

Additionally, the subject of three of the emails directly referred to two factor authentication (2FA) enabling or QR code activation. Another particularity of these emails was that three of them attempted to impersonate the internal IT team of the company by inserting the company domain alongside strings, such as “it-desk” and “IT”, into the personal field of the emails. Email header fields like this are often abused by attackers to trick users by pretending to be an internal department or senior employee, thus avoiding more thorough validation checks. Both instilling a sense of urgency and including a known domain or name in the personal field are techniques that help draw attention to the email and maximize the chances that it is opened and engaged by the recipient. 

However, threat actors also need to make sure that the emails actually reach the intended inboxes, and this can be done in several ways. In this case, several tactics were employed. Two of the five emails were sent from legitimate sender addresses that successfully passed SPF validation, suggesting they were sent from compromised accounts. SPF is a standard email authentication method that tells the receiving email servers whether emails have been sent from authorized servers for a given domain. Without SPF validation, emails are more likely to be categorized as spam and be sent to the junk folder as they do not come from authorized sources.

Another of the malicious emails, which also passed SPF checks, used a health care facility company domain in the header-from address field but was actually sent from a different domain (i.e., envelope domain), which lowers the value of the SPF authentication. However, the envelope domain observed in this instance belonged to a company recently acquired by the tech company targeted by the campaign.

This shows a high level of targeting from the attackers, who likely hoped that this detail would make the email more familiar and less suspicious. In another case, the sender domain (i.e., banes-gn[.]com) had been created just 6 days prior, thus lowering the chances of there being open-source intelligence (OSINT) available on the domain. This reduces the chances of the email being detected by traditional email security solutions relying on signatures and known-bad lists.

Darktrace Detects Quishing Attack

Despite its novelty, the domain was detected and assessed as highly suspicious by Darktrace. Darktrace/Email was able to recognize all of the emails as spoofing and impersonation attempts and applied the relevant tags to them, namely “IT Impersonation” and “Fake Account Alert”, depending on the choice of personal field and subject. The senders of the five emails had no prior history or association with the recipient nor the company as no previous correspondence had been observed between the sender and recipient. The tags applied informed on the likely intent and nature of the suspicious indicators present in the email, as shown in Figure 1. 

Darktrace/Email UI
Figure 1: Email log overview page, displaying important information clearly and concisely. 

Quishing Attack Tactics

Minimal Plain Text

Another characteristic shared by these emails was that they had little to no text included in the body of the email and they did not contain a plain text portion, as shown in Figure 2. For most normal emails sent by email clients and most automated programs, an email will contain an HTML component and a text component, in addition to any potential attachments present. All the emails had one image attachment, suggesting the bulk of the message was displayed in the image rather than the email body. This hinders textual analysis and filtering of the email for suspicious keywords and language that could reveal its phishing intent. Additionally, the emails were well-formatted and used the logo of the well-known corporation Microsoft, suggesting some level of technical ability on the part of the attackers. 

Figure 2: Email body properties giving additional insights into the content of the email. 

Attachment and link payloads

The threat actors employed some particularly innovative and novel techniques with regards to the attachments and link payloads within these emails. As previously stated, all emails contained an image attachment and one or two links. Figure 3 shows that Darktrace/Email detected that the malicious links present in these emails were located in the attachments, rather than the body of the email. This is a technique often employed by threat actors to bypass link analysis by security gateways. Darktrace/Email was also able to detect this link as a QR code link, as shown in Figure 4.

Figure 3: Further properties and metrics regarding the location of the link within the email. 
Figure 4: Darktrace / EMAIL analyzes multiple metrics and properties related to links, some of which are detailed here. 

The majority of the text, as well as the malicious payload, was contained within the image attachment, which for one of the emails looked like this: 

example of quishing email
Figure 5: Redacted screenshot of the image payload contained in one of the emails. 

Convincing Appearance

As shown, the recipient is asked to setup 2FA authentication for their account within two days if they don’t want to be locked out. The visual formatting of the image, which includes a corporate logo and Privacy Statement and Acceptable Use Policy notices, is well balanced and convincing. The payload, in this case the QR code containing a malicious link, is positioned in the centre so as to draw attention and encourage the user to scan and click. This is a type of email employees are increasingly accustomed to receiving in order to log into corporate networks and applications. Therefore, recipients of such malicious emails might assume represents expected business activity and thus engage with the QR code without questioning it, especially if the email is claiming to be from the IT department.  

Malicious Redirection

Two of the Quishing emails contained links to legitimate file storage and sharing solutions Amazon Web Services (AWS) and and InterPlanetary File System (IPFS), whose domains are less likely to be blocked by traditional security solutions. Additionally, the AWS domain link contained a redirect to a different domain that has been flagged as malicious by multiple security vendors [5]. Malicious redirection was observed in four of the five emails, initially from well-known and benign services’ domains such as bing[.]com and login[.]microsoftonline[.]com. This technique allows attackers to hide the real destination of the link from the user and increase the likelihood that the link is clicked. In two of the emails, the redirect domain had only recently been registered, and in one case, the redirect domain observed was hosted on the new .zip top level domain (i.e., docusafe[.]zip). The domain name suggests it is attempting to masquerade as a compressed file containing important documentation. As seen in Figure 6, a new Darktrace/Email feature allows customers to safely view the final destination of the link, which in this case was a seemingly fake Microsoft login page which could be used to harvest corporate credentials.

Figure 6: Safe preview available from the Darktrace/Email Console showing the destination webpage of one of the redirect links observed.

Gathering Account Credentials

Given the nature of the landing page, it is highly likely that this phishing campaign had the objective of stealing the recipients’ credentials, as further indicated by the presence of the recipients’ email addresses in the links. Additionally, these emails were sent to senior employees, likely in an attempt to gather high value credentials to use in future attacks against the company. Had they succeeded, this would have represented a serious security incident, especially considering that 61% of attacks in 2023 involved stolen or hacked credentials according to Verizon’s 2023 data breach investigations report [6]. However, these emails received the highest possible anomaly score (100%) and were held by Darktrace/Email, thus ensuring that their intended recipients were never exposed to them. 

Looking at the indicators of compromise (IoCs) identified in this campaign, it appears that several of the IPs associated with the link payloads have been involved in previous phishing campaigns. Exploring the relations tab for these IPs in Virus Total, some of the communicating files appear to be .eml files and others have generic filenames including strings such as “invoice” “remittance details” “statement” “voice memo”, suggesting they have been involved in other phishing campaigns seemingly related to payment solicitation and other fraud attempts.

Figure 7: Virus Total’s relations tab for the IP 209.94.90[.]1 showing files communicating with the IP. 

Conclusion

Even though the authors of this Quishing campaign used all the tricks in the book to ensure that their emails would arrive unactioned by security tools to the targeted high value recipients’ inboxes, Darktrace/Email was able to immediately recognize the phishing attempts for what they were and block the emails from reaching their destination. 

This campaign used both classic and novel tactics, techniques, and procedures, but ultimately were detected and thwarted by Darktrace/Email. It is yet another example of the increasing attack sophistication mentioned in a previous Darktrace blog [7], wherein the attack landscape is moving from low-sophistication, low-impact, and generic phishing tactics to more targeted, sophisticated and higher impact attacks. Darktrace/Email does not rely on historical data nor known-bad lists and is best positioned to protect organizations from these highly targeted and sophisticated attacks.

References

[1] https://www.infosecurity-magazine.com/opinions/qr-codes-vulnerability-cybercrimes/ 

[2] https://www.helpnetsecurity.com/2023/03/21/qr-scan-scams/ 

[3] https://www.techtarget.com/searchsecurity/feature/Quishing-on-the-rise-How-to-prevent-QR-code-phishing 

[4] https://businessplus.ie/tech/qr-code-phishing-hp/ 

[5] https://www.virustotal.com/gui/domain/fistulacure.com

[6] https://www.verizon.com/business/en-gb/resources/reports/dbir/ ; https://www.verizon.com/business/en-gb/resources/reports/dbir/

[7] https://darktrace.com/blog/shifting-email-conversation 

Darktrace Model Detections 

Association models

No Sender or Content Association

New Sender

Unknown Sender

Low Sender Association

Link models

Focused Link to File Storage

Focused Rare Classified Links

New Unknown Hidden Redirect

High Risk Link + Low Sender Association

Watched Link Type

High Classified Link

File Storage From New

Hidden Link To File Storage

New Correspondent Classified Link

New Unknown Redirect

Rare Hidden Classified Link

Rare Hidden Link

Link To File Storage

Link To File Storage and Unknown Sender

Open Redirect

Unknown Sender Isolated Rare Link

Visually Prominent Link

Visually Prominent Link Unexpected For Sender

Low Link Association

Low Link Association and Unknown Sender

Spoof models

Fake Support Style

External Domain Similarities

Basic Known Entity Similarities

Unusual models

Urgent Request Banner

Urgent Request Banner + Basic Suspicious Sender

Very Young Header Domain

Young Header Domain

Unknown User Tracking

Unrelated Personal Name Address

Unrelated Personal Name Address + Freemail

Unusual Header TLD

Unusual Connection From Unknown

Unbroken Personal

Proximity models

Spam + Unknown Sender

Spam

Spam models

Unlikely Freemail Correspondence

Unlikely Freemail Personalization

General Indicators models

Incoming Mail Security Warning Message

Darktrace Model Tags

Credential Harvesting

Internal IT Impersonation

Multistage payload

Lookalike Domain

Phishing Link

Email Account Takeover

Fake Account Alert

Low Mailing History

No Association

Spoofing Indicators

Unknown Correspondent

VIP

Freemail

IoC - Type - Description & Confidence

fistulacure[.]com

domain

C2 Infrastructure

docusafe[.]zip

domain

Possible C2 Infrastructure

mwmailtec[.]com

domain

Possible C2 Infrastructure

czeromedia[.]com

domain

Possible C2 Infrastructure

192.40.165[.]109

IP address

Probable C2 Infrastructure

209.94.90[.]1

IP address

C2 Infrastructure

52.61.107[.]58

IP address

Possible C2 Infrastructure

40.126.32[.]133

IP address

Possible C2 Infrastructure

211.63.158[.]157

IP address

Possible C2 Infrastructure

119.9.27[.]129

IP address

Possible C2 Infrastructure

184.25.204[.]33

IP address

Possible C2 Infrastructure

40.107.8[.]107

IP address

Probable C2 Infrastructure

40.107.212[.]111

IP address

Possible Infrastructure

27.86.113[.]2

IP address

Possible C2 Infrastructure

192.40.191[.]19

IP address

Possible C2 Infrastructure

157.205.202[.]217

IP address

Possible C2 Infrastructure

a31f1f6063409ecebe8893e36d0048557142cbf13dbaf81af42bf14c43b12a48

SHA256 hash

Possible Malicious File

4c4fb35ab6445bf3749b9d0ab1b04f492f2bc651acb1bbf7af5f0a47502674c9

SHA256 hash

Possible Malicious File

f9c51d270091c34792b17391017a09724d9a7890737e00700dc36babeb97e252

SHA256 hash

Possible Malicious File

9f8ccfd616a8f73c69d25fd348b874d11a036b4d2b3fc7dbb99c1d6fa7413d9a

SHA256 hash

Possible Malicious File

b748894348c32d1dc5702085d70d846c6dd573296e79754df4857921e707c439

SHA256 hash

Possible Malicious File

執筆者
Alexandra Sentenac
Cyber Analyst
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Alexandra Sentenac
Cyber Analyst

How Attackers Abuse the Chinese Nezha Monitoring Tool

Network
June 10, 2026
Nathaniel Bill
Malware Research Engineer
Watch the NIS2 Webinar
よく読まれているブログ
1
Prompt Security in Enterprise AI: Strengths, Weaknesses, and Common Approaches
May 20, 2026
2
How Empowering End Users can Improve Your Email Security and Decrease the Burden on the SOC
May 8, 2024
3
Elevating Network Security: Confronting Trust, Ransomware, & Novel Attacks
Jun 21, 2024
4
The State of AI in Cybersecurity: Unveiling Global Insights from 1,800 Security Practitioners
Apr 9, 2024
5
The State of AI in Cybersecurity: The Impact of AI on Cybersecurity Solutions
May 13, 2024

More in this series

No items found.
さらに読む
Email
May 26, 2026

Journey of a Threat: How Multi-Layered AI Works in Darktrace / EMAIL

Follow a malicious email as it moves through Darktrace / EMAIL’s multi-layered AI system, from raw data to final decision. Each layer works together to detect threats, understand intent, and take autonomous action.
Jamie Bali
Technical Author (AI) Developer
Read more
Email
May 1, 2026

How email-delivered prompt injection attacks can target enterprise AI – and why it matters

Prompt injection is a newly emerging threat, with only a handful of confirmed victims so far – targeting how AI systems use data rather than exploiting traditional software vulnerabilities. As agentic AI becomes embedded across enterprise environments, attackers may attempt to manipulate these systems through hidden instructions in everyday email content.
Kiri Addison
Senior Director of Product
Read more
Email
March 24, 2026

Darktrace Unites Human Behavior and Threat Detection Across Email, Slack, Teams, and Zoom

Introducing the adaptive era of email security: a unified platform that connects personalized coaching, collaboration tools, and user behavior into a self-improving defense system.
Carlos Gray
Senior Product Marketing Manager, Email
Read more

Blog

/

AI

/

June 14, 2026

スポーツ産業のサイバーセキュリティ: デジタル化した2026年のスポーツ産業が直面する脅威

Default blog imageDefault blog image

2026年のスポーツイベントを保護する

試合開催日にスタジアムに足を踏み入れるとき、あなたは小さなスマートシティを訪れています。チケット販売、回転ゲート、決済システム、何万ものファンが利用する公共Wi-Fi、CCTV、照明、そしてHVACまでもがすべて、相互に接続されたシステム上で稼働しています。ファンの体験はこれまでになく向上しましたが、この接続への依存は人々が想像するよりもはるかに大きなアタックサーフェスを作り出しています。

私たちの最新の調査結果はそれを裏付けています。ダークトレースが委託して実施した調査によれば、調査対象のプロスポーツ組織の84%は過去1年間に少なくとも1回のサイバーインシデントを経験しており、57%は複数回遭遇していました。試合が行われるライブ時間にすべてがかかっている業界にとって、これらの数字は直接的に運営上のリスクを意味します。

なぜスポーツがサイバー攻撃の標的になるのか

スポーツは非常に目立つターゲットであり、スケジュールが決まっているため、攻撃者は障害が最も影響を与える時期を正確に知っています。また、貴重なデータであるアスリートの医療記録、契約書、スポンサー契約書などが保管されており、これらが漏洩すれば財務上、評判上、規制上のリスクを伴います。同時に、イベントの開催もチケット発行、放送局、クラウドサービス、スタジアム関連テクノロジーなど、多くの第三者に依存しています。それらのシステムとの接続はいずれも侵入点になる可能性があります。注目度、スケジュール、データ、依存関係、これらが組み合わされることにより、小さな足がかりから、影響の大きな、時間的余裕の許されないインシデントに発展する環境が生まれます。

攻撃者はどのようにEメールとアイデンティティを標的にするか

Eメールとアイデンティティは主要な侵入経路です。2025年10月から2026年3月にかけて、Darktrace / EMAIL™は当社の顧客ベースにおいてスポーツ組織を狙った11万6,000通以上のフィッシングEメールを検知しました。また、スポーツ業界の顧客は他の業界の組織よりも19%多くのフィッシングEメールを受け取っています。数字がこれを物語っています:

数値が示すもの

  • フィッシングEメールの21%はVIPを標的
  • 37%は新手のソーシャルエンジニアリングを使用
  • 悪意あるEメールの84%がDMARC認証を通過

これらのEメールの大部分は認証チェックを通過しており、従来のセキュリティ対策がもはや信頼できる防壁ではないことを意味しています。攻撃者はなりすましドメインに頼っているのではなく、正規のインフラストラクチャと信頼されたプラットフォームを利用しています。ここで、動作が大きな意味を持ちます。アカウントが侵害されると、動作は急速に変化します。ログインパターンが変わり、返信を隠すための受信トレイルールが作成され、アカウントが内部偵察やさらなるフィッシングに使用され始めます。これらは大きな騒音を伴う出来事ではありません。それらは通常のワークフローに紛れ込み、多くのケースで見落とされています。

ランサムウェアも同じような経緯で発生しています。あるスポーツ関連の顧客内では、攻撃者は暗号化を開始する前の2週間もの間、静かにデータを外部サーバーに移動していました。身代金要求文が出現するときには、すでにお膳立てができていたというわけです。一貫して見られるシーケンスとして、まずアクセスがあり、次に移動があり、そして最後に障害が発生しています。暗号化の時点で検知されても、既に手遅れです。

AIがスポーツ組織の新たなブラインドスポットとなる理由

AI導入の増加は潜在的アタックサーフェスを拡大させています。当社が調査を行ったセキュリティプロフェッショナルの72%は、今後1年間でAIがリスク増大につながると予想しています。しかし35%はスタジアムの運営という保護すべき最も重要な機能に既にAIを使用しているか、使用を計画しているのです。プロンプトインジェクションやAI構築リスクに加えて、シャドーAIがより切迫したリスクとなりつつあります。スタッフはすでに、パフォーマンス指標、スカウティングレポート、契約、健康データなどの機密データを、ほとんどまたはまったく管理されていないツールに入力しています。AIのもたらす利点は明らかですが、リスクも同様に明白であり、しかもそれはほとんどの組織が何の可視性やコントロールも持たないうちに発生しています。その一方で、攻撃者は同じAI技術を使ってフィッシングやソーシャルエンジニアリングを拡大しています。その結果はシンプルです-より大きな露出リスクが、より速いスピードで発生しているのです。

サイバーセキュリティプロフェッショナルはどう備えるべきか

大規模なイベントにおいて、効果的なサイバー防御には準備、リアルタイムの可視性が重要です。限られたタイミング、複雑さ、一般の注目、そしてこれらが重なるなかで、動的かつ決定的に対応する能力が必要であることを、ダークトレースの経験は物語っています。

サイバーセキュリティチームにとって戦略的に重要ないくつかの項目があります:

  • コーポレートシステムだけでなく、ITおよびOT全体の動作の可視性を確保すること。
  • アイデンティティをコントロールプレーンとして扱うこと。 この分野でのほとんどの攻撃は、マルウェアではなく認証情報から始まります。ビヘイビア検知を用いた多要素認証(MFA)は、その課題の解決に役立ちます。
  • 自社の環境を管理するのと同じように第三者とAIのアクセスも制御すること。
  • 数分で意思決定を行う、ライブ条件で対応を訓練すること。 検知と対応は、エンジニアにプレッシャーがかかり、時間が制約される非理想的な条件を考慮する必要があります。スポーツにおいて小さな問題を重大インシデントに発展させるのは、このタイミング条件です。平日であれば問題なく対応できる事象も、イベント開催中は重大な事態になりかねません。

2026年、スポーツにおいてサイバーセキュリティのリスクが拡大する理由

FIFAワールドカップ2026は3か国と数十の開催都市にまたがるため、アタックサーフェスは広範であり、スケジュールも厳しいものとなります。

地政学的なシグナリングは脅威プロファイルをさらに深刻化させています。これまでの国際スポーツイベントでは、国家を背後に持つ脅威アクターがサイバー領域を利用してその意思を示し、ナラティブに影響を及ぼし、象徴的な報復を行うことが実証されています。2026年ワールドカップの文脈において、国際スポーツからのロシアの継続的な排除、ウクライナでの現在の紛争、米国のウクライナへの防衛支援、そしてイランの大会参加の可能性は、国家に関係したアクター、そして非伝統的なアフィリエイト達が武力攻撃未満のサイバー攻撃を展開するさらなる動機を与えています。それには新しい技術は必要ありません — ただ適切なタイミングと注目度があればよいのです。

実務においては、結局準備に行きつくことになります。ITとOT全体で正常な状態がどのようなものかを把握し、第三者のアクセスを管理し、動作の変化を識別することです。

スポーツにおいて、障害は徐々に蓄積するのではなく、リアルタイムに、衆人環視の下で発生します。試合開始のホイッスルが鳴るずっと前に、その段取りはすでに完了しているのです。

調査について

調査結果は、スポーツセクターの顧客におけるDarktraceの脅威調査テレメトリー(2025年第4四半期~2026年第1四半期)および2026年5月28日から6月3日にOpinion Mattersが実施した米国、英国、オーストラリア、ドイツの875人のITサイバーセキュリティ専門家を対象とした調査に基づいています。調査手法の詳細、インシデント分析、および戦略的推奨事項については、レポート全文をお読みください。

[related-resource]

Continue reading
About the author
Nathaniel Jones
VP, Security & AI Strategy, Field CISO

Blog

/

OT

/

June 12, 2026

Protecting Stadiums & Events with AI

Default blog imageDefault blog image

Stadium and large public venue operators are confronted with a unique set of cyber security challenges. Often described as a ‘honeypot’ for cyber-criminals, the sports and entertainment industry is an attractive target for threat actors for three main reasons:

  • Modern sports organizations process sensitive and highly valuable data at scale;
  • Sporting events are highly visible and time-critical, operating in front of live audiences with no room for error;
  • Sports organizations rely on sprawling vendor ecosystems and supply chains to deliver broadcast, commerce, fan engagement services, and more.

In a recent Darktrace-commissioned survey, 84% of professional sports organizations reported at least one cyber incident in the past year, and 57% were hit more than once [1]. The potential ramifications of cyber disruption during a large-scale sports event cannot be overstated. A momentary lapse in access to power could bring TV broadcasts to a halt; disruption to access controls could restrict fans from entering the grounds; CCTV outages could increase the risk of criminal behavior and physical injuries. If data is not reliable and stadium machines are outputting the wrong metrics, a venue could become dangerously overcrowded. The barrier between the cyber and physical worlds has long dissolved – cyber-attacks threaten human safety.

In this blog, I explore the key challenges of stadium cyber security and explain the unique capabilities of Self-Learning AI that led me to adopt Darktrace as a head of ICT and cyber security for international venues and events. Over my career I have helped secure football and rugby World Cups, World Athletics Championships and more than 500 events ,and the lessons from each have only sharpened my conviction in this approach.

The access paradox

The biggest challenge lies in the paradox of securing a site where various internal services are provided to a large number of unknown and unmanaged users, suppliers and devices. When it’s game time, or ‘D-Day’, you see a huge influx of thousands of people, each with their own devices, needing to connect to your network and your infrastructure. The floodgates are opened. But certain parts of your digital environment need to remain protected: your sensitive employee and customer data, your critical OT systems. I liken this to opening the door to your home, and letting the entire town come in and wander around. But you still need to secure your master bedroom.

A multitude of different actors must be able to work on-site to provide services or content during the event. Broadcasters, staff and suppliers need to have access to manage the show, and all these people need to access or interact with the IT infrastructure. In many ways, these additional bodies are already inside the perimeter and could host unknown malicious threats.

This year, the paradox is wider than ever. A tournament spread across hundreds of suppliers and vendors means the foothold an attacker needs may already belong to a trusted partner – a single compromised supplier can become the doorway to everything else. And the adversary is no longer working alone: generative AI now lets attackers probe and weaponize vulnerabilities across thousands of software dependencies at a speed no human team could match, turning the access paradox from a manageable risk into a fast-moving target.

Achieving this balance between accessibility and security requires a shift in mindset from perimeter-based security to one that can detect and respond to threats on the inside. The complexities involved requires technology that can identify malicious behavior in real time based on the wider context of an incident. A particular behavior or connection may be benign in one context and yet critically disruptive in another — tools and technology must be able to discern between the two.

This is why I considered Darktrace’s Self-Learning AI a suitable fit: rather than defending at the perimeter, it focuses on detecting and responding to malicious activity already inside. Because it learns the unique ‘patterns of life’ of its surroundings, it can detect subtle deviations that indicate a threat and initiate a targeted response – without relying on pre-programmed rules and playbooks.

IT/OT convergence

The second key challenge is the issue of IT and OT convergence. Typical stadiums and arenas consist of a wide range of Industrial Control Systems (ICS).

This involves a complex and messy array of switches, cables, CCTV cameras, as well as devices and technologies being brought in by the media and the press, and all these IT and OT components are now interconnected, which means these technologies now have Internet Protocol (IP)-based threats to manage. The same challenges that the corporate infrastructure for stadium management faces in cyber security are therefore also now an issue for ICS security.

This challenge cannot be addressed by viewing IT and OT security in isolation — these two environments are linked because of the analogue migration to IP. A unified approach is required to detect and respond to threats that start in IT before moving to industrial systems.

The stakes are physical. CCTV, Access Control, Public Annoucement system, lighting and the giant screens are all now running over IP, and a disruption to any of them can force a venue to halt play on safety grounds. Scale compounds the problem. At the Qatar 2022 World Cup, eight stadiums were purpose-built to a single technical standard, which made the digital environment relatively uniform to defend. The 2026 tournament is the opposite: dozens of host venues across three countries, each with its own operator, its own contractors and its own legacy systems.This creates a far more fragmented and unpredictable estate to secure.

In addition, cyber security technology must be able to deal with complexity. Darktrace’s AI thrives in the most complex environments, with more data points adding more context to inform the AI’s decision making. It covers OT and IT with a single, unified AI engine, that can also detect and respond across cloud infrastructure, SaaS applications, email systems and endpoints. It is ready to adapt to the messy, interconnected systems that make up large stadiums’ digital infrastructure.

The time factor

Finally, the nature of stadium events means that timing is critical and puts enormous pressure on the organizers and operators. ‘D-Day’ cannot be replayed or postponed, and so if cyber disruption occurs during the event, every minute is crucial. You cannot reschedule a World Cup final or move an opening ceremony; the date is fixed, the world is watching, and there is no second take.

There is consequently a strong emphasis on two key metrics

  • Mean Time To Know (MTTK) — how long it takes the security team need to be aware of an incident; and
  • Mean Time To Restore (MTTR) — how quickly a team can act to contain the threat.

It is perhaps more imperative in stadium event management than anywhere else that these two metrics be minimized.

This leads to the third criteria in assessing cyber security technology: does it help with response? And critically, can that response be nuanced and targeted, able to contain that threat without causing further disruption?

To this end, Darktrace’s Autonomous Response takes machine-speed action to contain cyber-attacks, when humans are too slow to react or aren’t around at all. It’s powered by Darktrace’s AI, so it has a nuanced and continuously updating understanding of what’s ‘normal’ across IT and OT systems. This means its response actions are targeted: designed to eliminate the threat, but not at the cost of disruption. Crucially, this enables responses that are surgical rather than blunt. For example, taking an entire server offline to stop a ransomware attack can cause more disruption than the attack itself, so the real value lies in neutralizing the malicious activity precisely — containing the threat without taking down the systems the event and business depends on.

Depending on the nature and severity of the threat, the technology can block specific malicious connections by enforcing the normal ‘pattern of life’ of a device or account. When every second counts, this is the speed and granularity that you need in a cybersecurity technology.

Darktrace can be deployed across every area of the digital enterprise, including network, email, cloud and SaaS environments with the same self-learning approach, stopping anomalous behaviors that point to account takeover and other cloud-based threats. Earlier this year, we announced that Darktrace is also extending its behavioral approach to help businesses deploy and scale AI securely by understanding how these AI systems and agents behave, interact with other systems and humans, and evolve over time. This is critical because 72% of cybersecurity professionals at sports organizations believe AI will increase their cyber risk over the next 12 months [2].

Wherever it is deployed, Darktrace allows the stadium operator to focus on the vital part of the game and offers real-time protection without any modification in the network topology or infrastructure.

An adaptive defense

Cyber-criminals are constantly developing their approach in an attempt to evade security tools trained to look for specific hallmarks of an attack. As they get creative and continuously experiment with new tactics and techniques, the human operators using these tools are forced into a constant state of catch up.

An AI-based approach that learns an organization and its normal behavior patterns from the ground up puts an end to this game of ‘cat and mouse’, shifting the balance in favor of the defenders and allowing them to stay ahead of the threat. This matters more than ever, because adversaries are now using AI to scale their attacks. If you do not have AI working to protect you against malicious AI, you are already at a disadvantage.

With a nuanced understanding of what’s ‘normal’ for the business, unified IT/OT coverage, and an Autonomous Response solution that takes immediate, surgical action, the playing field is leveled, and large stadium and events operators can focus on delivering the best possible experience for attendees, digital viewers, partners and performers.

[related-resource]

References:

[1] [2] Darktrace: Cybersecurity in Global Sport, June 2026. Findings based on survey of 875 IT cybersecurity professionals based in the US, UK, Australia and Germany, working in professional sports organizations (including clubs, societies & sporting bodies) employing 10+ people. The survey was fielded between May 28, 2026 and June 3, 2026 by independent market research agency, Opinion Matters.

Continue reading
About the author
あなたのデータ × DarktraceのAI
唯一無二のDarktrace AIで、ネットワークセキュリティを次の次元へ