Blog
/
Network
/
July 4, 2024

A Busy Agenda: Darktrace's Detection of Qilin Ransomware as a Service Operator

This blog breaks down how Darktrace detected and analyzed Qilin, a Ransomware-as-a-Service group behind recent high-impact attacks. You’ll see how Qilin affiliates customize attacks with flexible encryption, process termination, and double-extortion techniques, as well as why its cross-platform builds in Rust and Golang make it especially evasive. Darktrace highlights three real-world cases where its AI identified likely Qilin activity across customer environments, offering insights into how behavioral detection can spot novel ransomware before disruption occurs. Readers will gain a clear view of Qilin’s toolkit, tactics, and how self-learning defense adapts to these evolving threats.
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Alexandra Sentenac
Cyber Analyst
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
04
Jul 2024

What is Qilin Ransomware and what's its impact?

Qilin ransomware has recently dominated discussions across the cyber security landscape following its deployment in an attack on Synnovis, a UK-based medical laboratory company. The ransomware attack ultimately affected patient services at multiple National Health Service (NHS) hospitals that rely on Synnovis diagnostic and pathology services. Qilin’s origins, however, date back further to October 2022 when the group was observed seemingly posting leaked data from its first known victim on its Dedicated Leak Site (DLS) under the name Agenda[1].

The Darktrace Threat Research team investigated network artifacts related to Qilin and identified three probable cases of the ransomware across the Darktrace customer base between June 2022 and May 2024.

How Qilin Ransowmare Operates as RaaS

Qilin operates as a Ransomware-as-a-Service (RaaS) that employs double extortion tactics, whereby harvested data is exfiltrated and threatened of publication on the group's DLS, which is hosted on Tor. Qilin ransomware has samples written in both the Golang and Rust programming languages, making it compilable with various operating systems, and is highly customizable.

Techniques Qilin Ransomware uses to avoid detection

When building Qilin ransomware variants to be used on their target(s), affiliates can configure settings such as:

  • Encryption modes (skip-step, percent, or speed)
  • File extensions, directories, or processes to exclude
  • Unique company IDs used as extensions on encrypted files
  • Services or processes to terminate during execution [1] [2].
  • Trend Micro analysts, who were the first to discover Qilin samples in August 2022, when the name "Agenda" was still used in ransom notes, found that each analyzed sample was customized for the intended victims and that "unique company IDs were used as extensions of encrypted files" [3]. This information is configurable from within the Qilin's affiliate panel's 'Targets' section, shown below.

    Qilin's affiliate panel and branding

    The panel's background image features the eponym Chinese legendary chimerical creature Qilin (pronounced “Ke Lin”). Despite this Chinese mythology reference, Russian language was observed being used by a Qilin operator in an underground forum post aimed at hiring affiliates and advertising their RaaS operation[2].

    Figure 1: Qilin ransomware’s affiliate panel.

    Qilin’s affiliate payment model

    Qilin's RaaS program purportedly has an attractive affiliates' payment structure,

    • Affiliates earn 80% of ransom payments under USD 3 million
    • Affiliates earn 85% of ransom payments above USD 3 million [2]

    Publication of stolen data and ransom payment negotiations are purportedly handled by Qilin operators. Qilin affiliates have been known to target companies located around the world and within a variety of industries, including critical sectors such as healthcare and energy.

    Qilin target industries and victims

    As Qilin is a RaaS operation, the choice of targets does not necessarily reflect Qilin operators' intentions, but rather that of its affiliates.  

    Similarly, the tactics, techniques, procedures (TTPs) and indicators of compromise (IoC) identified by Darktrace are associated with the given affiliate deploying Qilin ransomware for their own purpose, rather than TTPs and IoCs of the Qilin group. Likewise, initial vectors of infection may vary from affiliate to affiliate.

    Previous studies show that initial access to networks were gained via spear phishing emails or by leveraging exposed applications and interfaces.

    Differences have been observed in terms of data exfiltration and potential C2 external endpoints, suggesting the below investigations are not all related to the same group or actor(s).

    [related-resource]

    Darktrace’s threat research investigation

    Qlin ransomware attack breakdown

    June 2022: Qilin ransomware attack exploiting VPN and SCCM servers

    Key findings:

    • Initial access: VPN and compromised admin account
    • Lateral movement: SCCM and VMware ESXi hosts
    • Malware observed: SystemBC, Tofsee
    • Ransom notes: Linked to Qilin naming conventions
    • Darktrace visibility: Analysts worked with customer via Ask the Expert (ATE) to expand coverage, revealing unusual scanning, rare external connections, and malware indicators tied to Qilin

    Full story:

    Darktrace first detected an instance of Qilin ransomware back in June 2022, when an attacker was observed successfully accessing a customer’s Virtual Private Network (VPN) and compromising an administrative account, before using RDP to gain access to the customer’s Microsoft System Center Configuration Manager (SCCM) server.

    From there, an attack against the customer's VMware ESXi hosts was launched. Fortunately, a reboot of their virtual machines (VM) caught the attention of the security team who further uncovered that custom profiles had been created and remote scripts executed to change root passwords on their VM hosts. Three accounts were found to have been compromised and three systems encrypted by ransomware.  

    Unfortunately, Darktrace was not configured to monitor the affected subnets at the time of the attack. Despite this, the customer was able to work directly with Darktrace analysts via the Ask the Expert (ATE) service to add the subnets in question to Darktrace’s visibility, allowing it to monitor for any further unusual behavior.

    Once visibility over the compromised SCCM server was established, Darktrace observed:

    • A series of unusual network scanning activities  
    • The use of Kali (a Linux distribution designed for digital forensics and penetration testing).
    • Connections to multiple rare external hosts. Many of which were using the “[.]ru” Top Level Domain (TLD).

    One of the external destinations the server was attempting to connect was found to be related to SystemBC, a malware that turns infected hosts into SOCKS5 proxy bots and provides command-and-control (C2) functionality.

    Additionally, the server was observed making external connections over ports 993 and 143 (typically associated with the use of the Interactive Message Access Protocol (IMAP) to multiple rare external endpoints. This was likely due to the presence of Tofsee malware on the device.

    After the compromise had been contained, Darktrace identified several ransom notes following the naming convention “README-RECOVER-<extension/company_id>.txt”” on the network. This naming convention, as well as the similar “<company_id>-RECOVER-README.txt” have been referenced by open-source intelligence (OSINT) providers as associated with Qilin ransom notes[5] [6] [7].

    April 2023: Manufacturing sector breach with large-scale exfiltration

    Key findings:

    • Initial access & movement: Extensive scanning and lateral movement via SMB, RDP, and WMI
    • Credential abuse: Use of default credentials (admin, administrator)
    • Malware/Indicators: Evidence of Cobalt Strike; suspicious WebDAV user agent and JA3 fingerprint
    • Data exfiltration: ~30 GB stolen via SSL to MEGA cloud storage
    • Darktrace analysis: Detected anomalous SMB and DCE-RPC traffic from domain controller, high-volume RDP activity, and rare external connectivity to IPs tied to command-and-control (C2). Confirmed ransom notes followed Qilin naming conventions.

    Full story:

    The next case of Qilin ransomware observed by Darktrace took place in April 2023 on the network of a customer in the manufacturing sector in APAC. Unfortunately for the customer in this instance, Darktrace's Autonomous Response was not active on their environment and no autonomous actions were taken to contain the compromise.

    Over the course of two days, Darktrace identified a wide range of malicious activity ranging from extensive initial scanning and lateral movement attempts to the writing of ransom notes that followed the aforementioned naming convention (i.e., “README-RECOVER-<extension/company_id>.txt”).

    Darktrace observed two affected devices attempting to move laterally through the SMB, DCE-RPC and RDP network protocols. Default credentials (e.g., UserName, admin, administrator) were also observed in the large volumes of SMB sessions initiated by these devices. One of the target devices of these SMB connections was a domain controller, which was subsequently seen making suspicious WMI requests to multiple devices over DCE-RPC and enumerating SMB shares by binding to the ‘server service’ (srvsvc) named pipe to a high number of internal devices within a short time frame. The domain controller was further detected establishing an anomalously high number of connections to several internal devices, notably using the RDP administrative protocol via a default admin cookie.  

    Repeated connections over the HTTP and SSL protocol to multiple newly observed IPs located in the 184.168.123.0/24 range were observed, indicating C2 connectivity.  WebDAV user agent and a JA3 fingerprint potentially associated with Cobalt Strike were notably observed in these connections. A few hours later, Darktrace detected additional suspicious external connections, this time to IPs associated with the MEGA cloud storage solution. Storage solutions such as MEGA are often abused by attackers to host stolen data post exfiltration. In this case, the endpoints were all rare for the network, suggesting this solution was not commonly used by legitimate users. Around 30 GB of data was exfiltrated over the SSL protocol.

    Darktrace did not observe any encryption-related activity on this customer’s network, suggesting that encryption may have taken place locally or within network segments not monitored by Darktrace.

    May 2024: US enterprise compromise

    Key findings:

    • Initial access & movement: Abuse of administrative and default credentials; lateral movement via DCE-RPC and RDP
    • Malware/Indicators: Suspicious executables (‘a157496.exe’, ‘83b87b2.exe’); abuse of RPC service LSM_API_service
    • Data exfiltration: Large amount of data exfiltrated via FTP and other channels to rare external endpoint (194.165.16[.]13)
    • C2 communications: HTTP/SSL traffic linked to Cobalt Strike, including PowerShell request for sihost64.dll
    • Darktrace analysis: Flagged unusual SMB writes, malicious file transfers, and large-scale exfiltration as highly anomalous. Confirmed widespread encryption activity targeting numerous devices and shares.

    Full story:

    The most recent instance of Qilin observed by Darktrace took place in May 2024 and involved a customer in the US.

    In this case, Darktrace initially detected affected devices using unusual administrative and default credentials. Then Darktrace observed additional Internal systems conducting abnormal activity such as:

    • Making extensive suspicious DCE-RPC requests to a range of internal locations
    • Performing network scanning
    • Making unusual internal RDP connections
    • And transferring suspicious executable files like 'a157496.exe' and '83b87b2.exe'.  

    SMB writes of the file "LSM_API_service" were also observed, activity which was considered 100% unusual by Darktrace; this is an RPC service that can be abused to enumerate logged-in users and steal their tokens. Various repeated connections likely representative of C2 communications were detected via both HTTP and SSL to rare external endpoints linked in OSINT to Cobalt Strike use. During these connections, HTTP GET requests for the following URIs were observed:

    /asdffHTTPS

    /asdfgdf

    /asdfgHTTP

    /download/sihost64.dll

    Notably, this included a GET request a DLL file named "sihost64.dll" from a domain controller using PowerShell.  

    Over 102 GB of data may have been transferred to another previously unseen endpoint, 194.165.16[.]13, via the unencrypted File Transfer Protocol (FTP). Additionally, many non-FTP connections to the endpoint could be observed, over which more than 783 GB of data was exfiltrated. Regarding file encryption activity, a wide range of destination devices and shares were targeted.

    Figure 2: Advanced Search graph displaying the total volume of data transferred over FTP to a malicious IP.

    During investigations, Darktrace’s Threat Research team identified an additional customer, also based in the United States, where similar data exfiltration activity was observed in April 2024. Although no indications of ransomware encryption were detected on the network, multiple similarities were observed with the case discussed just prior. Notably, the same exfiltration IP and protocol (194.165.16[.]13 and FTP, respectively) were identified in both cases. Additional HTTP connectivity was further observed to another IP using a self-signed certificate (i.e., CN=ne[.]com,OU=key operations,O=1000,L=,ST=,C=KM) located within the same ASN (i.e., AS48721 Flyservers S.A.). Some of the URIs seen in the GET requests made to this endpoint were the same as identified in that same previous case.

    Information regarding another device also making repeated connections to the same IP was described in the second event of the same Cyber AI Analyst incident. Following this C2 connectivity, network scanning was observed from a compromised domain controller, followed by additional reconnaissance and lateral movement over the DCE-RPC and SMB protocols. Darktrace again observed SMB writes of the file "LSM_API_service", as in the previous case, activity which was also considered 100% unusual for the network. These similarities suggest the same actor or affiliate may have been responsible for activity observed, even though no encryption was observed in the latter case.

    Figure 3: First event of the Cyber AI Analyst investigation following the compromise activity.

    According to researchers at Microsoft, some of the IoCs observed on both affected accounts are associated with Pistachio Tempest, a threat actor reportedly associated with ransomware distribution. The Microsoft threat actor naming convention uses the term "tempest" to reference criminal organizations with motivations of financial gain that are not associated with high confidence to a known non-nation state or commercial entity. While Pistachio Tempest’s TTPs have changed over time, their key elements still involve ransomware, exfiltration, and extortion. Once they've gained access to an environment, Pistachio Tempest typically utilizes additional tools to complement their use of Cobalt Strike; this includes the use of the SystemBC RAT and the SliverC2 framework, respectively. It has also been reported that Pistacho Tempest has experimented with various RaaS offerings, which recently included Qilin ransomware[4].

    Conclusion

    Qilin is a RaaS group that has gained notoriety recently due to high-profile attacks perpetrated by its affiliates. Despite this, the group likely includes affiliates and actors who were previously associated with other ransomware groups. These individuals bring their own modus operandi and utilize both known and novel TTPs and IoCs that differ from one attack to another.

    Darktrace’s anomaly-based technology is inherently threat-agnostic, treating all RaaS variants equally regardless of the attackers’ tools and infrastructure. Deviations from a device’s ‘learned’ pattern of behavior during an attack enable Darktrace to detect and contain potentially disruptive ransomware attacks.

    [related-resource]

    Credit to: Alexandra Sentenac, Emma Foulger, Justin Torres, Min Kim, Signe Zaharka for their contributions.

    References

    [1] https://www.sentinelone.com/anthology/agenda-qilin/  

    [2] https://www.group-ib.com/blog/qilin-ransomware/

    [3] https://www.trendmicro.com/en_us/research/22/h/new-golang-ransomware-agenda-customizes-attacks.html

    [4] https://www.microsoft.com/en-us/security/security-insider/pistachio-tempest

    [5] https://www.trendmicro.com/en_us/research/22/h/new-golang-ransomware-agenda-customizes-attacks.html

    [6] https://www.bleepingcomputer.com/forums/t/790240/agenda-qilin-ransomware-id-random-10-char;-recover-readmetxt-support/

    [7] https://github.com/threatlabz/ransomware_notes/tree/main/qilin

    Darktrace Model Detections

    Internal Reconnaissance

    Device / Suspicious SMB Scanning Activity

    Device / Network Scan

    Device / RDP Scan

    Device / ICMP Address Scan

    Device / Suspicious Network Scan Activity

    Anomalous Connection / SMB Enumeration

    Device / New or Uncommon WMI Activity

    Device / Attack and Recon Tools

    Lateral Movement

    Device / SMB Session Brute Force (Admin)

    Device / Large Number of Model Breaches from Critical Network Device

    Device / Multiple Lateral Movement Model Breaches

    Anomalous Connection / Unusual Admin RDP Session

    Device / SMB Lateral Movement

    Compliance / SMB Drive Write

    Anomalous Connection / New or Uncommon Service Control

    Anomalous Connection / Anomalous DRSGetNCChanges Operation

    Anomalous Server Activity / Domain Controller Initiated to Client

    User / New Admin Credentials on Client

    C2 Communication

    Anomalous Server Activity / Outgoing from Server

    Anomalous Connection / Multiple Connections to New External TCP Port

    Anomalous Connection / Anomalous SSL without SNI to New External

    Anomalous Connection / Rare External SSL Self-Signed

    Device / Increased External Connectivity

    Unusual Activity / Unusual External Activity

    Compromise / New or Repeated to Unusual SSL Port

    Anomalous Connection / Multiple Failed Connections to Rare Endpoint

    Device / Suspicious Domain

    Device / Increased External Connectivity

    Compromise / Sustained SSL or HTTP Increase

    Compromise / Botnet C2 Behaviour

    Anomalous Connection / POST to PHP on New External Host

    Anomalous Connection / Multiple HTTP POSTs to Rare Hostname

    Anomalous File / EXE from Rare External Location

    Exfiltration

    Unusual Activity / Enhanced Unusual External Data Transfer

    Anomalous Connection / Data Sent to Rare Domain

    Unusual Activity / Unusual External Data Transfer

    Anomalous Connection / Uncommon 1 GiB Outbound

    Unusual Activity / Unusual External Data to New Endpoint

    Compliance / FTP / Unusual Outbound FTP

    File Encryption

    Compromise / Ransomware / Suspicious SMB Activity

    Anomalous Connection / Sustained MIME Type Conversion

    Anomalous File / Internal / Additional Extension Appended to SMB File

    Compromise / Ransomware / Possible Ransom Note Write

    Compromise / Ransomware / Possible Ransom Note Read

    Anomalous Connection / Suspicious Read Write Ratio

    IoC List

    IoC – Type – Description + Confidence

    93.115.25[.]139 IP C2 Server, likely associated with SystemBC

    194.165.16[.]13 IP Probable Exfiltration Server

    91.238.181[.]230 IP C2 Server, likely associated with Cobalt Strike

    ikea0[.]com Hostname C2 Server, likely associated with Cobalt Strike

    lebondogicoin[.]com Hostname C2 Server, likely associated with Cobalt Strike

    184.168.123[.]220 IP Possible C2 Infrastructure

    184.168.123[.]219 IP Possible C2 Infrastructure

    184.168.123[.]236 IP Possible C2 Infrastructure

    184.168.123[.]241 IP Possible C2 Infrastructure

    184.168.123[.]247 IP Possible C2 Infrastructure

    184.168.123[.]251 IP Possible C2 Infrastructure

    184.168.123[.]252 IP Possible C2 Infrastructure

    184.168.123[.]229 IP Possible C2 Infrastructure

    184.168.123[.]246 IP Possible C2 Infrastructure

    184.168.123[.]230 IP Possible C2 Infrastructure

    gfs440n010.userstorage.me ga.co[.]nz Hostname Possible Exfiltration Server. Not inherently malicious; associated with MEGA file storage.

    gfs440n010.userstorage.me ga.co[.]nz Hostname Possible Exfiltration Server. Not inherently malicious; associated with MEGA file storage.

    Get the latest insights on emerging cyber threats

    This report explores the latest trends shaping the cybersecurity landscape and what defenders need to know in 2025

    Inside the SOC
    Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
    Written by
    Alexandra Sentenac
    Cyber Analyst

    More in this series

    No items found.

    Blog

    /

    Email

    /

    September 30, 2025

    Out of Character: Detecting Vendor Compromise and Trusted Relationship Abuse with Darktrace

    vendor email compromiseDefault blog imageDefault blog image

    What is Vendor Email Compromise?

    Vendor Email Compromise (VEC) refers to an attack where actors breach a third-party provider to exploit their access, relationships, or systems for malicious purposes. The initially compromised entities are often the target’s existing partners, though this can extend to any organization or individual the target is likely to trust.

    It sits at the intersection of supply chain attacks and business email compromise (BEC), blending technical exploitation with trust-based deception. Attackers often infiltrate existing conversations, leveraging AI to mimic tone and avoid common spelling and grammar pitfalls. Malicious content is typically hosted on otherwise reputable file sharing platforms, meaning any shared links initially seem harmless.

    While techniques to achieve initial access may have evolved, the goals remain familiar. Threat actors harvest credentials, launch subsequent phishing campaigns, attempt to redirect invoice payments for financial gain, and exfiltrate sensitive corporate data.

    Why traditional defenses fall short

    These subtle and sophisticated email attacks pose unique challenges for defenders. Few busy people would treat an ongoing conversation with a trusted contact with the same level of suspicion as an email from the CEO requesting ‘URGENT ASSISTANCE!’ Unfortunately, many traditional secure email gateways (SEGs) struggle with this too. Detecting an out-of-character email, when it does not obviously appear out of character, is a complex challenge. It’s hardly surprising, then, that 83% of organizations have experienced a security incident involving third-party vendors [1].  

    This article explores how Darktrace detected four different vendor compromise campaigns for a single customer, within a two-week period in 2025.  Darktrace / EMAIL successfully identified the subtle indicators that these seemingly benign emails from trusted senders were, in fact, malicious. Due to the configuration of Darktrace / EMAIL in this customer’s environment, it was unable to take action against the malicious emails. However, if fully enabled to take Autonomous Response, it would have held all offending emails identified.

    How does Darktrace detect vendor compromise?

    The answer lies at the core of how Darktrace operates: anomaly detection. Rather than relying on known malicious rules or signatures, Darktrace learns what ‘normal’ looks like for an environment, then looks for anomalies across a wide range of metrics. Despite the resourcefulness of the threat actors involved in this case, Darktrace identified many anomalies across these campaigns.

    Different campaigns, common traits

    A wide variety of approaches was observed. Individuals, shared mailboxes and external contractors were all targeted. Two emails originated from compromised current vendors, while two came from unknown compromised organizations - one in an associated industry. The sender organizations were either familiar or, at the very least, professional in appearance, with no unusual alphanumeric strings or suspicious top-level domains (TLDs). Subject line, such as “New Approved Statement From [REDACTED]” and “[REDACTED] - Proposal Document” appeared unremarkable and were not designed to provoke heightened emotions like typical social engineering or BEC attempts.

    All emails had been given a Microsoft Spam Confidence Level of 1, indicating Microsoft did not consider them to be spam or malicious [2]. They also passed authentication checks (including SPF, and in some cases DKIM and DMARC), meaning they appeared to originate from an authentic source for the sender domain and had not been tampered with in transit.  

    All observed phishing emails contained a link hosted on a legitimate and commonly used file-sharing site. These sites were often convincingly themed, frequently featuring the name of a trusted vendor either on the page or within the URL, to appear authentic and avoid raising suspicion. However, these links served only as the initial step in a more complex, multi-stage phishing process.

    A legitimate file sharing site used in phishing emails to host a secondary malicious link.
    Figure 1: A legitimate file sharing site used in phishing emails to host a secondary malicious link.
    Another example of a legitimate file sharing endpoint sent in a phishing email and used to host a malicious link.
    Figure 2: Another example of a legitimate file sharing endpoint sent in a phishing email and used to host a malicious link.

    If followed, the recipient would be redirected, sometimes via CAPTCHA, to fake Microsoft login pages designed to capturing credentials, namely http://pub-ac94c05b39aa4f75ad1df88d384932b8.r2[.]dev/offline[.]html and https://s3.us-east-1.amazonaws[.]com/s3cure0line-0365cql0.19db86c3-b2b9-44cc-b339-36da233a3be2ml0qin/s3cccql0.19db86c3-b2b9-44cc-b339-36da233a3be2%26l0qn[.]html#.

    The latter made use of homoglyphs to deceive the user, with a link referencing ‘s3cure0line’, rather than ‘secureonline’. Post-incident investigation using open-source intelligence (OSINT) confirmed that the domains were linked to malicious phishing endpoints [3] [4].

    Fake Microsoft login page designed to harvest credentials.
    Figure 3: Fake Microsoft login page designed to harvest credentials.
    Phishing kit with likely AI-generated image, designed to harvest user credentials. The URL uses ‘s3cure0line’ instead of ‘secureonline’, a subtle misspelling intended to deceive users.
    Figure 4: Phishing kit with likely AI-generated image, designed to harvest user credentials. The URL uses ‘s3cure0line’ instead of ‘secureonline’, a subtle misspelling intended to deceive users.

    Darktrace Anomaly Detection

    Some senders were unknown to the network, with no previous outbound or inbound emails. Some had sent the email to multiple undisclosed recipients using BCC, an unusual behavior for a new sender.  

    Where the sender organization was an existing vendor, Darktrace recognized out-of-character behavior, in this case it was the first time a link to a particular file-sharing site had been shared. Often the links themselves exhibited anomalies, either being unusually prominent or hidden altogether - masked by text or a clickable image.

    Crucially, Darktrace / EMAIL is able to identify malicious links at the time of processing the emails, without needing to visit the URLs or analyze the destination endpoints, meaning even the most convincing phishing pages cannot evade detection – meaning even the most convincing phishing emails cannot evade detection. This sets it apart from many competitors who rely on crawling the endpoints present in emails. This, among other things, risks disruption to user experience, such as unsubscribing them from emails, for instance.

    Darktrace was also able to determine that the malicious emails originated from a compromised mailbox, using a series of behavioral and contextual metrics to make the identification. Upon analysis of the emails, Darktrace autonomously assigned several contextual tags to highlight their concerning elements, indicating that the messages contained phishing links, were likely sent from a compromised account, and originated from a known correspondent exhibiting out-of-character behavior.

    A summary of the anomalous email, confirming that it contained a highly suspicious link.
    Figure 5: Tags assigned to offending emails by Darktrace / EMAIL.

    Figure 6: A summary of the anomalous email, confirming that it contained a highly suspicious link.

    Out-of-character behavior caught in real-time

    In another customer environment around the same time Darktrace / EMAIL detected multiple emails with carefully crafted, contextually appropriate subject lines sent from an established correspondent being sent to 30 different recipients. In many cases, the attacker hijacked existing threads and inserted their malicious emails into an ongoing conversation in an effort to blend in and avoid detection. As in the previous, the attacker leveraged a well-known service, this time ClickFunnels, to host a document containing another malicious link. Once again, they were assigned a Microsoft Spam Confidence Level of 1, indicating that they were not considered malicious.

    The legitimate ClickFunnels page used to host a malicious phishing link.
    Figure 7: The legitimate ClickFunnels page used to host a malicious phishing link.

    This time, however, the customer had Darktrace / EMAIL fully enabled to take Autonomous Response against suspicious emails. As a result, when Darktrace detected the out-of-character behavior, specifically, the sharing of a link to a previously unused file-sharing domain, and identified the likely malicious intent of the message, it held the email, preventing it from reaching recipients’ inboxes and effectively shutting down the attack.

    Figure 8: Darktrace / EMAIL’s detection of malicious emails inserted into an existing thread.*

    *To preserve anonymity, all real customer names, email addresses, and other identifying details have been redacted and replaced with fictitious placeholders.

    Legitimate messages in the conversation were assigned an Anomaly Score of 0, while the newly inserted malicious emails identified and were flagged with the maximum score of 100.

    Key takeaways for defenders

    Phishing remains big business, and as the landscape evolves, today’s campaigns often look very different from earlier versions. As with network-based attacks, threat actors are increasingly leveraging legitimate tools and exploiting trusted relationships to carry out their malicious goals, often staying under the radar of security teams and traditional email defenses.

    As attackers continue to exploit trusted relationships between organizations and their third-party associates, security teams must remain vigilant to unexpected or suspicious email activity. Protecting the digital estate requires an email solution capable of identifying malicious characteristics, even when they originate from otherwise trusted senders.

    Credit to Jennifer Beckett (Cyber Analyst), Patrick Anjos (Senior Cyber Analyst), Ryan Traill (Analyst Content Lead), Kiri Addison (Director of Product)

    Appendices

    IoC - Type - Description + Confidence  

    - http://pub-ac94c05b39aa4f75ad1df88d384932b8.r2[.]dev/offline[.]html#p – fake Microsoft login page

    - https://s3.us-east-1.amazonaws[.]com/s3cure0line-0365cql0.19db86c3-b2b9-44cc-b339-36da233a3be2ml0qin/s3cccql0.19db86c3-b2b9-44cc-b339-36da233a3be2%26l0qn[.]html# - link to domain used in homoglyph attack

    MITRE ATT&CK Mapping  

    Tactic – Technique – Sub-Technique  

    Initial Access - Phishing – (T1566)  

    References

    1.     https://gitnux.org/third-party-risk-statistics/

    2.     https://learn.microsoft.com/en-us/defender-office-365/anti-spam-spam-confidence-level-scl-about

    3.     https://www.virustotal.com/gui/url/5df9aae8f78445a590f674d7b64c69630c1473c294ce5337d73732c03ab7fca2/detection

    4.     https://www.virustotal.com/gui/url/695d0d173d1bd4755eb79952704e3f2f2b87d1a08e2ec660b98a4cc65f6b2577/details

    The content provided in this blog is published by Darktrace for general informational purposes only and reflects our understanding of cybersecurity topics, trends, incidents, and developments at the time of publication. While we strive to ensure accuracy and relevance, the information is provided “as is” without any representations or warranties, express or implied. Darktrace makes no guarantees regarding the completeness, accuracy, reliability, or timeliness of any information presented and expressly disclaims all warranties.

    Nothing in this blog constitutes legal, technical, or professional advice, and readers should consult qualified professionals before acting on any information contained herein. Any references to third-party organizations, technologies, threat actors, or incidents are for informational purposes only and do not imply affiliation, endorsement, or recommendation.

    Darktrace, its affiliates, employees, or agents shall not be held liable for any loss, damage, or harm arising from the use of or reliance on the information in this blog.

    The cybersecurity landscape evolves rapidly, and blog content may become outdated or superseded. We reserve the right to update, modify, or remove any content

    Continue reading
    About the author
    Jennifer Beckett
    Cyber Analyst

    Blog

    /

    OT

    /

    October 1, 2025

    Announcing Unified OT Security with Dedicated OT Workflows, Segmentation-Aware Risk Insights, and Next-Gen Endpoint Visibility for Industrial Teams

    Default blog imageDefault blog image

    The challenge of convergence without clarity

    Convergence is no longer a roadmap idea, it is the daily reality for industrial security teams. As Information Technology (IT) and Operational Technology (OT) environments merge, the line between a cyber incident and an operational disruption grows increasingly hard to define. A misconfigured firewall rule can lead to downtime. A protocol misuse might look like a glitch. And when a pump stalls but nothing appears in the Security Operations Center (SOC) dashboard, teams are left asking: is this operational or is this a threat?

    The lack of shared context slows down response, creates friction between SOC analysts and plant engineers, and leaves organizations vulnerable at exactly the points where IT and OT converge. Defenders need more than alerts, they need clarity that both sides can trust.

    The breakthrough with Darktrace / OT

    This latest Darktrace / OT release was built to deliver exactly that. It introduces shared context between Security, IT, and OT operations, helping reduce friction and close the security gaps at the intersection of these domains.

    With a dedicated dashboard built for operations teams, extended visibility into endpoints for new forms of detection and CVE collection, expanded protocol coverage, and smarter risk modeling aligned to segmentation policies, teams can now operate from a shared source of truth. These enhancements are not just incremental upgrades, they are foundational improvements designed to bring clarity, efficiency, and trust to converged environments.

    A dashboard built for OT engineers

    The new Operational Overview provides OT engineers with a workspace designed for them, not for SOC analysts. It brings asset management, risk insights and operational alerts into one place. Engineers can now see activity like firmware changes, controller reprograms or the sudden appearance of a new workstation on the network, providing a tailored view for critical insights and productivity gains without navigating IT-centric workflows. Each device view is now enriched with cross-linked intelligence, make, model, firmware version and the roles inferred by Self-Learning AI, making it easier to understand how each asset behaves, what function it serves, and where it fits within the broader industrial process. By suppressing IT-centric noise, the dashboard highlights only the anomalies that matter to operations, accelerating triage, enabling smoother IT/OT collaboration, and reducing time to root cause without jumping between tools.

    This is usability with purpose, a view that matches OT workflows and accelerates response.

    Figure 1: The Operational Overview provides an intuitive dashboard summarizing all OT Assets, Alerts, and Risk.

    Full-spectrum coverage across endpoints, sensors and protocols

    The release also extends visibility into areas that have traditionally been blind spots. Engineering workstations, Human-Machine Interfaces (HMIs), contractor laptops and field devices are often the entry points for attackers, yet the hardest to monitor.

    Darktrace introduces Network Endpoint eXtended Telemetry (NEXT) for OT, a lightweight collector built for segmented and resource-constrained environments. NEXT for OT uses Endpoint sensors to capture localized network, and now process-level telemetry, placing it in context alongside other network and asset data to:

    1. Identify vulnerabilities and OS data, which is leveraged by OT Risk Management for risk scoring and patching prioritization, removing the need for third-party CVE collection.
    1. Surface novel threats using Self-Learning AI that standalone Endpoint Detection and Response (EDR) would miss.
    1. Extend Cyber AI Analyst investigations through to the endpoint root cause.

    NEXT is part of our existing cSensor endpoint agent, can be deployed standalone or alongside existing EDR tools, and allows capabilities to be enabled or disabled depending on factors such as security or OT team objectives and resource utilization.

    Figure 2: Darktrace / OT delivers CVE patch priority insights by combining threat intelligence with extended network and endpoint telemetry

    The family of Darktrace Endpoint sensors also receive a boost in deployment flexibility, with on-prem server-based setups, as well as a Windows driver tailored for zero-trust and high-security environments.

    Protocol coverage has been extended where it matters most. Darktrace now performs protocol analysis of a wider range of GE and Mitsubishi protocols, giving operators real-time visibility into commands and state changes on Programmable Logic Controllers (PLCs), robots and controllers. Backed by Self-Learning AI, this inspection does more than parse traffic, it understands what normal looks like and flags deviations that signal risk.

    Integrated risk and governance workflows

    Security data is only valuable when it drives action. Darktrace / OT delivers risk insights that go beyond patching, helping teams take meaningful steps even when remediation isn't possible. Risk is assessed not just by CVE presence, but by how network segmentation, firewall policies, and attack path logic neutralize or contain real-world exposure. This approach empowers defenders to deprioritize low-impact vulnerabilities and focus effort where risk truly exists. Building on the foundation introduced in release 6.3, such as KEV enrichment, endpoint OS data, and exploit mapping, this release introduces new integrations that bring Darktrace / OT intelligence directly into governance workflows.

    Fortinet FortiGate firewall ingestion feeds segmentation rules into attack path modeling, revealing real exposure when policies fail and closing feeds into patching prioritization based on a policy to CVE exposure assessment.

    • ServiceNow Configuration Management Database (CMDB) sync ensures asset intelligence stays current across governance platforms, eliminating manual inventory work.

    Risk modeling has also been made more operationally relevant. Scores are now contextualized by exploitability, asset criticality, firewall policy, and segmentation posture. Patch recommendations are modeled in terms of safety, uptime and compliance rather than just Common Vulnerability Scoring System (CVSS) numbers. And importantly, risk is prioritized across the Purdue Model, giving defenders visibility into whether vulnerabilities remain isolated to IT or extend into OT-critical layers.

    Figure 3: Attack Path Modeling based on NetFlow and network topology reveals high risk points of IT/OT convergence.

    The real-world impact for defenders

    In today’s environments, attackers move fluidly between IT and OT. Without unified visibility and shared context, incidents cascade faster than teams can respond.

    With this release, Darktrace / OT changes that reality. The Operational Overview gives Engineers a dashboard they can use daily, tailored to their workflows. SOC analysts can seamlessly investigate telemetry across endpoints, sensors and protocols that were once blind spots. Operators gain transparency into PLCs and controllers. Governance teams benefit from automated integrations with platforms like Fortinet and ServiceNow. And all stakeholders work from risk models that reflect what truly matters: safety, uptime and compliance.

    This release is not about creating more alerts. It is about providing more clarity. By unifying context across IT and OT, Darktrace / OT enables defenders to see more, understand more and act faster.

    Because in environments where safety and uptime are non-negotiable, clarity is what matters most.

    Join us for our live event where we will discuss these product innovations in greater detail

    Continue reading
    About the author
    Pallavi Singh
    Product Marketing Manager, OT Security & Compliance
    Your data. Our AI.
    Elevate your network security with Darktrace AI