Blog
/
Identity
/
July 8, 2025

Defending the Cloud: Stopping Cyber Threats in Azure and AWS with Darktrace

This blog examines three real-world cloud-based attacks in Azure and AWS environments, including credential compromise, data exfiltration, and ransomware detonation. Learn how Darktrace’s AI-driven threat detection and Autonomous Response capabilities help organizations defend against evolving threats in complex cloud environments.
Written by
Alexandra Sentenac
Cyber Analyst
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Alexandra Sentenac
Cyber Analyst
fingerprintDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
08
Jul 2025

Real-world intrusions across Azure and AWS

As organizations pursue greater scalability and flexibility, cloud platforms like Microsoft Azure and Amazon Web Services (AWS) have become essential for enabling remote operations and digitalizing corporate environments. However, this shift introduces a new set of security risks, including expanding attack surfaces, misconfigurations, and compromised credentials frequently exploited by threat actors.

This blog dives into three instances of compromise within a Darktrace customer’s Azure and AWS environment.

  1. The first incident took place in early 2024 and involved an attacker compromising a legitimate user account to gain unauthorized access to a customer’s Azure environment.
  2. The other two incidents, taking place in February and March 2025, targeted AWS environments. In these cases, threat actors exfiltrated corporate data, and in one instance, was able to detonate ransomware in a customer’s environment.

Case 1 - Microsoft Azure

Simplified timeline of the attack on a customer’s Azure environment.
Figure 1: Simplified timeline of the attack on a customer’s Azure environment.

In early 2024, Darktrace identified a cloud compromise on the Azure cloud environment of a customer in the Europe, the Middle East and Africa (EMEA) region.

Initial access

In this case, a threat actor gained access to the customer’s cloud environment after stealing access tokens and creating a rogue virtual machine (VM). The malicious actor was found to have stolen access tokens belonging to a third-party external consultant’s account after downloading cracked software.

With these stolen tokens, the attacker was able to authenticate to the customer’s Azure environment and successfully modified a security rule to allow inbound SSH traffic from a specific IP range (i.e., securityRules/AllowCidrBlockSSHInbound). This was likely performed to ensure persistent access to internal cloud resources.

Detection and investigation of the threat

Darktrace / IDENTITY recognized that this activity was highly unusual, triggering the “Repeated Unusual SaaS Resource Creation” alert.

Cyber AI Analyst launched an autonomous investigation into additional suspicious cloud activities occurring around the same time from the same unusual location, correlating the individual events into a broader account hijack incident.

Figure 3: Surrounding resource creation events highlighted by Cyber AI Analyst.
Figure 4: Surrounding resource creation events highlighted by Cyber AI Analyst.

“Create resource service limit” events typically indicate the creation or modification of service limits (i.e., quotas) for a specific Azure resource type within a region. Meanwhile, “Registers the Capacity Resource Provider” events refer to the registration of the Microsoft Capacity resource provider within an Azure subscription, responsible for managing capacity-related resources, particularly those related to reservations and service limits. These events suggest that the threat actor was looking to create new cloud resources within the environment.

Around ten minutes later, Darktrace detected the threat actor creating or modifying an Azure disk associated with a virtual machine (VM), suggesting an attempt to create a rogue VM within the environment.

Threat actors can leverage such rogue VMs to hijack computing resources (e.g., by running cryptomining malware), maintain persistent access, move laterally within the cloud environment, communicate with command-and-control (C2) infrastructure, and stealthily deliver and deploy malware.

Persistence

Several weeks later, the compromised account was observed sending an invitation to collaborate to an external free mail (Google Mail) address.

Darktrace deemed this activity as highly anomalous, triggering a compliance alert for the customer to review and investigate further.

The next day, the threat actor further registered new multi-factor authentication (MFA) information. These actions were likely intended to maintain access to the compromised user account. The customer later confirmed this activity by reviewing the corresponding event logs within Darktrace.

Case 2 – Amazon Web Services

Simplified timeline of the attack on a customer’s AWS environment
Figure 5: Simplified timeline of the attack on a customer’s AWS environment

In February 2025, another cloud-based compromised was observed on a UK-based customer subscribed to Darktrace’s Managed Detection and Response (MDR) service.

How the attacker gained access

The threat actor was observed leveraging likely previously compromised credential to access several AWS instances within customer’s Private Cloud environment and collecting and exfiltrating data, likely with the intention of deploying ransomware and holding the data for ransom.

Darktrace alerting to malicious activity

This observed activity triggered a number of alerts in Darktrace, including several high-priority Enhanced Monitoring alerts, which were promptly investigated by Darktrace’s Security Operations Centre (SOC) and raised to the customer’s security team.

The earliest signs of attack observed by Darktrace involved the use of two likely compromised credentials to connect to the customer’s Virtual Private Network (VPN) environment.

Internal reconnaissance

Once inside, the threat actor performed internal reconnaissance activities and staged the Rclone tool “ProgramData\rclone-v1.69.0-windows-amd64.zip”, a command-line program to sync files and directories to and from different cloud storage providers, to an AWS instance whose hostname is associated with a public key infrastructure (PKI) service.

The threat actor was further observed accessing and downloading multiple files hosted on an AWS file server instance, notably finance and investment-related files. This likely represented data gathering prior to exfiltration.

Shortly after, the PKI-related EC2 instance started making SSH connections with the Rclone SSH client “SSH-2.0-rclone/v1.69.0” to a RockHoster Virtual Private Server (VPS) endpoint (193.242.184[.]178), suggesting the threat actor was exfiltrating the gathered data using the Rclone utility they had previously installed. The PKI instance continued to make repeated SSH connections attempts to transfer data to this external destination.

Darktrace’s Autonomous Response

In response to this activity, Darktrace’s Autonomous Response capability intervened, blocking unusual external connectivity to the C2 server via SSH, effectively stopping the exfiltration of data.

This activity was further investigated by Darktrace’s SOC analysts as part of the MDR service. The team elected to extend the autonomously applied actions to ensure the compromise remained contained until the customer could fully remediate the incident.

Continued reconissance

Around the same time, the threat actor continued to conduct network scans using the Nmap tool, operating from both a separate AWS domain controller instance and a newly joined device on the network. These actions were accompanied by further internal data gathering activities, with around 5 GB of data downloaded from an AWS file server.

The two devices involved in reconnaissance activities were investigated and actioned by Darktrace SOC analysts after additional Enhanced Monitoring alerts had triggered.

Lateral movement attempts via RDP connections

Unusual internal RDP connections to a likely AWS printer instance indicated that the threat actor was looking to strengthen their foothold within the environment and/or attempting to pivot to other devices, likely in response to being hindered by Autonomous Response actions.

This triggered multiple scanning, internal data transfer and unusual RDP alerts in Darktrace, as well as additional Autonomous Response actions to block the suspicious activity.

Suspicious outbound SSH communication to known threat infrastructure

Darktrace subsequently observed the AWS printer instance initiating SSH communication with a rare external endpoint associated with the web hosting and VPS provider Host Department (67.217.57[.]252), suggesting that the threat actor was attempting to exfiltrate data to an alternative endpoint after connections to the original destination had been blocked.

Further investigation using open-source intelligence (OSINT) revealed that this IP address had previously been observed in connection with SSH-based data exfiltration activity during an Akira ransomware intrusion [1].

Once again, connections to this IP were blocked by Darktrace’s Autonomous Response and subsequently these blocks were extended by Darktrace’s SOC team.

The above behavior generated multiple Enhanced Monitoring alerts that were investigated by Darktrace SOC analysts as part of the Managed Threat Detection service.

Enhanced Monitoring alerts investigated by SOC analysts as part of the Managed Detection and Response service.
Figure 5: Enhanced Monitoring alerts investigated by SOC analysts as part of the Managed Detection and Response service.

Final containment and collaborative response

Upon investigating the unusual scanning activity, outbound SSH connections, and internal data transfers, Darktrace analysts extended the Autonomous Response actions previously triggered on the compromised devices.

As the threat actor was leveraging these systems for data exfiltration, all outgoing traffic from the affected devices was blocked for an additional 24 hours to provide the customer’s security team with time to investigate and remediate the compromise.

Additional investigative support was provided by Darktrace analysts through the Security Operations Service, after the customer's opened of a ticket related to the unfolding incident.

Simplified timeline of the attack
Figure 8: Simplified timeline of the attack

Around the same time of the compromise in Case 2, Darktrace observed a similar incident on the cloud environment of a different customer.

Initial access

On this occasion, the threat actor appeared to have gained entry into the AWS-based Virtual Private Cloud (VPC) network via a SonicWall SMA 500v EC2 instance allowing inbound traffic on any port.

The instance received HTTPS connections from three rare Vultr VPS endpoints (i.e., 45.32.205[.]52, 207.246.74[.]166, 45.32.90[.]176).

Lateral movement and exfiltration

Around the same time, the EC2 instance started scanning the environment and attempted to pivot to other internal systems via RDP, notably a DC EC2 instance, which also started scanning the network, and another EC2 instance.  

The latter then proceeded to transfer more than 230 GB of data to the rare external GTHost VPS endpoint 23.150.248[.]189, while downloading hundreds of GBs of data over SMB from another EC2 instance.

Cyber AI Analyst incident generated following the unusual scanning and RDP connections from the initial compromised device.
Figure 7: Cyber AI Analyst incident generated following the unusual scanning and RDP connections from the initial compromised device.

The same behavior was replicated across multiple EC2 instances, whereby compromised instances uploaded data over internal RDP connections to other instances, which then started transferring data to the same GTHost VPS endpoint over port 5000, which is typically used for Universal Plug and Play (UPnP).

What Darktrace detected

Darktrace observed the threat actor uploading a total of 718 GB to the external endpoint, after which they detonated ransomware within the compromised VPC networks.

This activity generated nine Enhanced Monitoring alerts in Darktrace, focusing on the scanning and external data activity, with the earliest of those alerts triggering around one hour after the initial intrusion.

Darktrace’s Autonomous Response capability was not configured to act on these devices. Therefore, the malicious activity was not autonomously blocked and escalated to the point of ransomware detonation.

Conclusion

This blog examined three real-world compromises in customer cloud environments each illustrating different stages in the attack lifecycle.

The first case showcased a notable progression from a SaaS compromise to a full cloud intrusion, emphasizing the critical role of anomaly detection when legitimate credentials are abused.

The latter two incidents demonstrated that while early detection is vital, the ability to autonomously block malicious activity at machine speed is often the most effective way to contain threats before they escalate.

Together, these incidents underscore the need for continuous visibility, behavioral analysis, and machine-speed intervention across hybrid environments. Darktrace's AI-driven detection and Autonomous Response capabilities, combined with expert oversight from its Security Operations Center, give defenders the speed and clarity they need to contain threats and reduce operational disruption, before the situation spirals.

Credit to Alexandra Sentenac (Senior Cyber Analyst) and Dylan Evans (Security Research Lead)

References

[1] https://www.virustotal.com/gui/ip-address/67.217.57.252/community

Case 1

Darktrace / IDENTITY model alerts

IaaS / Compliance / Uncommon Azure External User Invite

SaaS / Resource / Repeated Unusual SaaS Resource Creation

IaaS / Compute / Azure Compute Resource Update

Cyber AI Analyst incidents

Possible Unsecured AzureActiveDirectory Resource

Possible Hijack of Office365 Account

Case 2

Darktrace / NETWORK model alerts

Compromise / SSH Beacon

Device / Multiple Lateral Movement Model Alerts

Device / Suspicious SMB Scanning Activity

Device / SMB Lateral Movement

Compliance / SSH to Rare External Destination

Device / Anomalous SMB Followed By Multiple Model Alerts

Device / Anonymous NTLM Logins

Anomalous Connection / SMB Enumeration

Device / New or Uncommon SMB Named Pipe Device / Network Scan

Device / Suspicious Network Scan Activity

Device / New Device with Attack Tools

Device / RDP Scan Device / Attack and Recon Tools

Compliance / High Priority Compliance Model Alert

Compliance / Outgoing NTLM Request from DC

Compromise / Large Number of Suspicious Successful Connections

Device / Large Number of Model Alerts

Anomalous Connection / Multiple Failed Connections to Rare Endpoint

Unusual Activity / Internal Data Transfer

Anomalous Connection / Unusual Internal Connections

Device / Anomalous RDP Followed By Multiple Model Alerts

Unusual Activity / Unusual External Activity

Unusual Activity / Enhanced Unusual External Data Transfer

Unusual Activity / Unusual External Data Transfer

Unusual Activity / Unusual External Data to New Endpoint

Anomalous Connection / Multiple Connections to New External TCP Port

Darktrace / Autonomous Response model alerts

Antigena / Network / Significant Anomaly / Antigena Enhanced Monitoring from Server Block

Antigena / Network / Manual / Quarantine Device

Antigena / MDR / MDR-Quarantined Device

Antigena / MDR / Model Alert on MDR-Actioned Device

Antigena / Network / Significant Anomaly / Antigena Enhanced Monitoring from Client Block

Antigena / Network / Significant Anomaly / Antigena Alerts Over Time Block

Antigena / Network / Insider Threat / Antigena Network Scan Block

Antigena / Network / Significant Anomaly / Antigena Significant Server Anomaly Block

Antigena / Network / Insider Threat / Antigena SMB Enumeration Block

Antigena / Network / Significant Anomaly / Antigena Controlled and Model Alert

Antigena / Network / Significant Anomaly / Antigena Significant Anomaly from Client Block

Antigena / Network / External Threat / Antigena Suspicious Activity Block

Antigena / Network / Insider Threat / Antigena Internal Data Transfer Block

Cyber AI Analyst incidents

Possible Application Layer Reconnaissance Activity

Scanning of Multiple Devices

Unusual Repeated Connections

Unusual External Data Transfer

Case 3

Darktrace / NETWORK model alerts

Unusual Activity / Unusual Large Internal Transfer

Compliance / Incoming Remote Desktop

Unusual Activity / High Volume Server Data Transfer

Unusual Activity / Internal Data Transfer

Anomalous Connection / Unusual Internal Remote Desktop

Anomalous Connection / Unusual Incoming Data Volume

Anomalous Server Activity / Domain Controller Initiated to Client

Device / Large Number of Model Alerts

Anomalous Connection / Possible Flow Device Brute Force

Device / RDP Scan

Device / Suspicious Network Scan Activity

Device / Network Scan

Anomalous Server Activity / Anomalous External Activity from Critical Network Device

Anomalous Connection / Download and Upload

Unusual Activity / Unusual External Data Transfer

Unusual Activity / High Volume Client Data Transfer

Unusual Activity / Unusual External Activity

Anomalous Connection / Uncommon 1 GiB Outbound

Device / Increased External Connectivity

Compromise / Large Number of Suspicious Successful Connections

Anomalous Connection / Data Sent to Rare Domain

Anomalous Connection / Low and Slow Exfiltration to IP

Unusual Activity / Enhanced Unusual External Data Transfer

Anomalous Connection / Multiple Connections to New External TCP Port

Anomalous Server Activity / Outgoing from Server

Anomalous Connection / Multiple Connections to New External UDP Port

Anomalous Connection / Possible Data Staging and External Upload

Unusual Activity / Unusual External Data to New Endpoint

Device / Large Number of Model Alerts from Critical Network Device

Compliance / External Windows Communications

Anomalous Connection / Unusual Internal Connections

Cyber AI Analyst incidents

Scanning of Multiple Devices

Extensive Unusual RDP Connections

MITRE ATT&CK mapping

(Technique name – Tactic ID)

Case 1

Defense Evasion - Modify Cloud Compute Infrastructure: Create Cloud Instance

Persistence – Account Manipulation

Case 2

Initial Access - External Remote Services

Execution - Inter-Process Communication

Persistence - External Remote Services

Discovery - System Network Connections Discovery

Discovery - Network Service Discovery

Discovery - Network Share Discovery

Lateral Movement - Remote Desktop Protocol

Lateral Movement - Remote Services: SMB/Windows Admin Shares

Collection - Data from Network Shared Drive

Command and Control - Protocol Tunneling

Exfiltration - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

Case 3

Initial Access - Exploit Public-Facing Application

Discovery - Remote System Discovery

Discovery - Network Service Discovery

Lateral Movement - Remote Services

Lateral Movement - Remote Desktop Protocol  

Collection - Data from Network Shared Drive

Collection - Data Staged: Remote Data Staging

Exfiltration - Exfiltration Over C2 Channel

Command and Control - Non-Standard Port

Command and Control – Web Service

Impact - Data Encrypted for Impact

List of IoCs

IoC         Type      Description + Probability

193.242.184[.]178 - IP Address - Possible Exfiltration Server  

45.32.205[.]52  - IP Address  - Possible C2 Infrastructure

45.32.90[.]176 - IP Address - Possible C2 Infrastructure

207.246.74[.]166 - IP Address - Likely C2 Infrastructure

67.217.57[.]252 - IP Address - Likely C2 Infrastructure

23.150.248[.]189 - IP Address - Possible Exfiltration Server

Written by
Alexandra Sentenac
Cyber Analyst
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Alexandra Sentenac
Cyber Analyst

From Amazon to Louis Vuitton: How Darktrace Detects Black Friday Phishing Attacks

Email
November 27, 2025
Ryan Traill
Analyst Content Lead
Watch the NIS2 Webinar
Trending blogs
1
Pre-CVE Threat Detection: 10 Examples Identifying Malicious Activity Prior to Public Disclosure of a Vulnerability
Jul 2, 2025
2
Darktrace Recognized as a Leader in the 2025 Gartner® Magic Quadrant™ for Network Detection and Response
Jun 2, 2025
3
Evaluating Email Security: How to Select the Best Solution for Your Organization
May 21, 2025
4
2025 Cyber Threat Landscape: Darktrace’s Mid-Year Review
Aug 5, 2025
5
Introducing the AI Maturity Model for Cybersecurity
Jul 16, 2025

More in this series

No items found.
Continue reading
Identity
August 21, 2025

From VPS to Phishing: How Darktrace Uncovered SaaS Hijacks through Virtual Infrastructure Abuse

Darktrace identified coordinated SaaS account compromises across multiple customer environments. The incidents involved suspicious logins from VPS-linked infrastructure followed by unauthorized inbox rule creation and deletion of phishing-related emails. These consistent behaviors across devices point to a targeted phishing campaign leveraging virtual infrastructure for access and concealment. Discover how Darktrace uncovered this activity and what it means for the future of SaaS security.
Rajendra Rushanth
Cyber Analyst
Read more
Identity
July 3, 2025

Top Eight Threats to SaaS Security and How to Combat Them

SaaS security requires new methods to keep up with evolving threats and business infrastructure. In this blog, learn the top eight threats to identity security and how AI-based solutions can help.
Carlos Gray
Senior Product Marketing Manager, Email
Read more
Identity
May 23, 2025

From Rockstar2FA to FlowerStorm: Investigating a Blooming Phishing-as-a-Service Platform

FlowerStorm is a phishing-as-a-service platform that leverages Adversary-in-the-Middle attacks to steal Microsoft 365 credentials and bypass MFA. Darktrace detected a SaaS compromise linked to FlowerStorm, identifying suspicious logins, password resets, and privilege escalation attempts, enabling early containment through AI-driven threat detection and response.
Justin Torres
Cyber Analyst
Read more

Blog

/

Email

/

December 2, 2025

From Amazon to Louis Vuitton: How Darktrace Detects Black Friday Phishing Attacks

Default blog imageDefault blog image

Why Black Friday Drives a Surge in Phishing Attacks

In recent years, Black Friday has shifted from a single day of online retail sales and discounts to an extended ‘Black Friday Week’, often preceded by weeks of online hype. During this period, consumers are inundated with promotional emails and marketing campaigns as legitimate retailers compete for attention.

Unsurprisingly, this surge in legitimate communications creates an ideal environment for threat actors to launch targeted phishing campaigns designed to mimic legitimate retail emails. These campaigns often employ social engineering techniques that exploit urgency, exclusivity, and consumer trust in well-known brands, tactics designed to entice recipients into opening emails and clicking on malicious links.

Additionally, given the seasonal nature of Black Friday and the ever-changing habits of consumers, attackers adopt new tactics and register fresh domains each year, rather than reusing domains previously flagged as spam or phishing endpoints. While this may pose a challenge for traditional email security tools, it presents no such difficulty for Darktrace / EMAIL and its anomaly-based approach.

In the days and weeks leading up to ‘Black Friday’, Darktrace observed a spike in sophisticated phishing campaigns targeting consumers, demonstrating how attackers combine phycological manipulation with technical evasion to bypass basic security checks during this high-traffic period. This blog showcases several notable examples of highly convincing phishing emails detected and contained by Darktrace / EMAIL in mid to late November 2025.

Darktrace’s Black Friday Detections

Brand Impersonation: Deal Watchdogs’ Amazon Deals

The impersonation major online retailers has become a common tactic in retail-focused attacks, none more so than Amazon, which ranked as the fourth most impersonated brand in 2024, only behind Microsoft, Apple, Google, and Facebook [1]. Darktrace’s own research found Amazon to be the most mimicked brand, making up 80% of phishing attacks in its analysis of global consumer brands.

When faced with an email that appears to come from a trusted sender like Amazon, recipients are far more likely to engage, increasing the success rate of these phishing campaigns.

In one case observed on November 16, Darktrace detected an email with the subject line “NOW LIVE: Amazon’s Best Early Black Friday Deals on Gadgets Under $60”. The email was sent to a customer by the sender ‘Deal Watchdogs’, in what appeared to be an attempt to masquerade as a legitimate discount-finding platform. No evidence indicated that the company was legitimate. In fact, the threat actor made no attempt to create a convincing name, and the domain appeared to be generated by a domain generation algorithm (DGA), as shown in Figure 2.

Although the email was sent by ‘Deal Watchdogs’, it attempted to impersonate Amazon by featuring realistic branding, including the Amazon logo and a shade of orange similar to that used by them for the ‘CLICK HERE’ button and headline text.

Figure 1: The contents of the email observed by Darktrace, featuring authentic-looking Amazon branding.

Darktrace identified that the email, marked as urgent by the sender, contained a suspicious link to a Google storage endpoint (storage.googleapis[.]com), which had been hidden by the text “CLICK HERE”. If clicked, the link could have led to a credential harvester or served as a delivery vector for a malicious payload hosted on the Google storage platform.

Fortunately, Darktrace immediately identified the suspicious nature of this email and held it before delivery, preventing recipients from ever receiving or interacting with the malicious content.

Figure 2: Darktrace / EMAIL’s detection of the malicious phishing email sent to a customer.

Around the same time, Darktrace detected a similar email attempting to spoof Amazon on another customer’s network with the subject line “Our 10 Favorite Deals on Amazon That Started Today”, also sent by ‘Deal Watchdogs,’ suggesting a broader campaign.

Analysis revealed that this email originated from the domain petplatz[.]com, a fake marketing domain previously linked to spam activity according to open-source intelligence (OSINT) [2].

Brand Impersonation: Louis Vuitton

A few days later, on November 20, Darktrace / EMAIL detected a phishing email attempting to impersonate the luxury fashion brand Louis Vuitton. At first glance, the email, sent under the name ‘Louis Vuitton’ and titled “[Black Friday 2025] Discover Your New Favorite Louis Vuitton Bag – Elegance Starts Here”, appeared to be a legitimate Black Friday promotion. However, Darktrace’s analysis uncovered several red flags indicating a elaborate brand impersonation attempt.

The email was not sent by Louis Vuitton but by rskkqxyu@bookaaatop[.]ru, a Russia-based domain never before observed on the customer’s network. Darktrace flagged this as suspicious, noting that .ru domains were highly unusual for this recipient’s environment, further reinforcing the likelihood of malicious intent. Subsequent analysis revealed that the domain had only recently registered and was flagged as malicious by multiple OSINT sources [3].

Figure 3: Darktrace / EMAIL’s detection of the malicious email attempting to spoofLouis Vuitton, originating from a suspicious Russia-based domain.

Darktrace further noted that the email contained a highly suspicious link hidden behind the text “View Collection” and “Unsubscribe,” ensuring that any interaction, whether visiting the supposed ‘handbag store’ or attempting to opt out of marketing emails, would direct recipients to the same endpoint. The link resolved to xn--80aaae9btead2a[.]xn--p1ai (топааабоок[.]рф), a domain confirmed as malicious by multiple OSINT sources [4]. At the time of analysis, the domain was inaccessible, likely due to takedown efforts or the short-lived nature of the campaign.

Darktrace / EMAIL blocked this email before it reached customer inboxes, preventing recipients from interacting with the malicious content and averting any disruption.

Figure 4: The suspicious domain linked in the Louis Vuitton phishing email, now defunct.

Too good to be true?

Aside from spoofing well-known brands, threat actors frequently lure consumers with “too good to be true” luxury offers, a trend Darktrace observed in multiple cases throughout November.

In one instance, Darktrace identified an email with the subject line “[Black Friday 2025] Luxury Watches Starting at $250.” Emails contained a malicious phishing link, hidden behind text like “Rolex Starting from $250”, “Shop Now”, and “Unsubscribe”.

Figure 5: Example of a phishing email detected by Darktrace, containing malicious links concealed behind seemingly innocuous text.

Similarly to the Louis Vuitton email campaign described above, this malicious link led to a .ru domain (hxxps://x.wwwtopsalebooks[.]ru/.../d65fg4er[.]html), which had been flagged as malicious by multiple sources [5].

Figure 6: Darktrace / EMAIL’s detection of a malicious email promoting a fake luxury watch store, which was successfully held from recipient inboxes.

If accessed, this domain would redirect users to luxy-rox[.]com, a recently created domain (15 days old at the time of writing) that has also been flagged as malicious by OSINT sources [6]. When visited, the redirect domain displayed a convincing storefront advertising high-end watches at heavily discounted prices.

Figure 7: The fake storefront presented upon visiting the redirectdomain, luxy-rox[.]com.

Although the true intent of this domain could not be confirmed, it was likely a scam site or a credential-harvesting operation, as users were required to create an account to complete a purchase. As of the time or writing, the domain in no longer accessible .

This email illustrates a layered evasion tactic: attackers employed multiple domains, rapid domain registration, and concealed redirects to bypass detection. By leveraging luxury branding and urgency-driven discounts, the campaign sought to exploit seasonal shopping behaviors and entice victims into clicking.

Staying Protected During Seasonal Retail Scams

The investigation into these Black Friday-themed phishing emails highlights a clear trend: attackers are exploiting seasonal shopping events with highly convincing campaigns. Common tactics observed include brand impersonation (Amazon, Louis Vuitton, luxury watch brands), urgency-driven subject lines, and hidden malicious links often hosted on newly registered domains or cloud services.

These campaigns frequently use redirect chains, short-lived infrastructure, and psychological hooks like exclusivity and luxury appeal to bypass user scepticism and security filters. Organizations should remain vigilant during retail-heavy periods, reinforcing user awareness training, link inspection practices, and anomaly-based detection to mitigate these evolving threats.

Credit to Ryan Traill (Analyst Content Lead) and Owen Finn (Cyber Analyst)

Appendices

References

1.        https://keepnetlabs.com/blog/top-5-most-spoofed-brands-in-2024

2.        https://www.virustotal.com/gui/domain/petplatz.com

3.        https://www.virustotal.com/gui/domain/bookaaatop.ru

4.        https://www.virustotal.com/gui/domain/xn--80aaae9btead2a.xn--p1ai

5.        https://www.virustotal.com/gui/url/e2b868a74531cd779d8f4a0e1e610ec7f4efae7c29d8b8ab32c7a6740d770897?nocache=1

6.        https://www.virustotal.com/gui/domain/luxy-rox.com

Indicators of Compromise (IoCs)

IoC – Type – Description + Confidence

petplatz[.]com – Hostname – Spam domain

bookaaatop[.]ru – Hostname – Malicious Domain

xn--80aaae9btead2a[.]xn--p1ai (топааабоок[.]рф) – Hostname - Malicious Domain

hxxps://x.wwwtopsalebooks[.]ru/.../d65fg4er[.]html) – URL – Malicious Domain

luxy-rox[.]com – Hostname -  Malicious Domain

MITRE ATT&CK Mapping  

Tactic – Technique – Sub-Technique  

Initial Access - Phishing – (T1566)  

Continue reading
About the author
Ryan Traill
Analyst Content Lead

Blog

/

Email

/

November 28, 2025

Phishing attacks surge by 620% in the lead-up to Black Friday

Default blog imageDefault blog image

Black Friday deals are rolling in, and so are the phishing scams

As the world gears up for Black Friday and the festive shopping season, inboxes flood with deals and delivery notifications, creating a perfect storm for phishing attackers to strike.

Contributing to the confusion, legitimate brands often rely on similar urgency cues, limited-time offers, and high-volume email campaigns used by scammers, blurring the lines between real deals and malicious lookalikes. While security teams remain extra vigilant during this period, the risk of phishing emails slipping in unnoticed remains high, as does the risk of individuals clicking to take advantage of holiday shopping offers.

Analysis conducted by Darktrace’s global analyst team revealed that phishing attacks taking advantage of Black Friday jumped by 620% in the weeks leading up to the holiday weekend, with the volume of phishing attacks expected to jump a further 20-30% during Black Friday week itself.

First observation: Brand impersonation

Brand impersonation was one of the techniques that stood out, with threat actors creating convincing emails – likely assisted by generative AI – purporting to be from household brands including special offers and promotions.

The week before Thanksgiving (15-21 November) saw 201% more phishing attempts mimicking US retailers than the same week in October, as attackers sought to profit off the back of the busy holiday shopping season. It’s not just about volume, either – attackers are spoofing brands people love to shop with during the holidays. Fake emails that look like they’re from well-known retailers like Macy’s, Walmart, and Target were up by 54% just across last week1. Even so, Amazon is the most impersonated brand, making up 80% of phishing attempts in Darktrace’s analysis of global consumer brands like Apple, Alibaba and Netflix.  

While major brands invest heavily in protecting their organizations and customers from cyber-attacks, impersonation is a complicated area as it falls outside of a brand’s legitimate infrastructure and security remit. Retail brands have a huge attack surface, creating plenty of vectors for impersonation, while fake domains, social profiles, and promotional messages can be created quickly and at scale.

Second observation: Fake marketing domains

One prominent Black Friday phishing campaign observed landing in many inboxes uses fake domains purporting to be from marketing sites, like “Pal.PetPlatz.com” and “Epicbrandmarketing.com”.

These emails tend to operate in one of two ways. Some contain “deals” for luxury items such as Rolex watches or Louis Vuitton handbags, designed to tempt readers into clicking. However, the majority are tied to a made-up brand called Deal Watchdogs, which promotes “can’t-miss” Amazon Black Friday offers – designed to lure readers into acting fast to secure legitimate time-sensitive deals. Any user who clicks a link is taken to a fake Amazon website where they are tricked into inputting sensitive data and payment details.

Third observation: The impact of generative AI

The biggest shift seen in phishing in recent years is how much more convincing scam emails are thanks to generative AI. 27% of phishing emails observed by Darktrace in 2024 contained over 1,000 characters2, suggesting LLM use in their creation. Tools like ChatGPT and Gemini lower the barrier to entry for cyber-criminals, allowing them to create phishing campaigns that humans find it difficult to spot.  

Let’s take a look at a dummy email created by a member of our team without a technical background to illustrate how easy it is to spin up an email that looks and feels like a genuine Black Friday offer. With two prompts, generative AI created a convincing “sale” email that could easily pass as the real thing without requiring any technical skill.

A fake Black Friday deal email created using generative AI, with only two prompts. The image has been pixelated for marketing purposes.

Anyone can now create convincing brand spoofs, and they can do it at scale. That makes it even more important for email users to pause, check the sender, and think before they click.

Why phishing scams hurt consumers and brands

These spoofs don’t just drain shoppers’ bank accounts and grab their personal data. They erode trust, drive people away from real sites, and ultimately hurt brands’ sales. And the fakes keep getting sharper, more convincing, and harder to spot.

Though brands should implement email controls like DMARC to help reduce spoofing, they can’t stop attackers from registering new look-alike domains or using other channels. At the end of the day, human users remain vulnerable to well-crafted scams, particularly when the element of trust from a well-known brand is involved. And while brands can’t prevent all impersonation scams, the fallout can still erode consumer trust and damage their reputation.

In order to limit the impact of these scams, two things need to work together: better education so consumers know when to slow down and look twice, and email security (plus a DMARC solution and an attack surface management tool) that can adapt faster than the attackers – protecting both shoppers and the brands they love.

Tips to stay safe while Black Friday shopping online

On top of retailers implementing robust email security, there are some simple steps shoppers can take to stay safer while shopping this holiday season.

  • Check every website (twice). Scammers make tiny changes you can barely see. They’ll switch Walmart.com for Waimart.com and most people won’t notice. If something looks even slightly off, check the URL carefully and, if you’re unsure, search for reviews of that exact address.
  • Santa keeps the real gifts in the workshop. Don’t just click through from sales emails. Use them as a prompt to log in directly to the official app or site, where any genuine notifications will appear.
  • Look at the payment options. Real retailers usually offer a handful of recognizable ways to pay; if a site pushes only odd methods or upfront transfers, don’t use it.
  • Be skeptical of Christmas miracles. If a deal on a big-ticket item looks too good to be true, it usually is.
  • Leave the rushing to the elves. Countdown timers and “last chance” banners are designed to make you click before you think. Take a breath, double-check the sender and the site, and then decide whether to buy.

Email security you can trust this holiday season

The heightened holiday shopping season shines a spotlight on an uncomfortable reality: now that phishing emails are harder than ever to distinguish from legitimate brand communication, traditional spam filters and Secure Email Gateways struggle to keep up. In order to protect against communication-based attacks, organizations require email security that can evaluate the full context of an email – not just surface-level indicators – and stop malicious messages before they reach inboxes.

Darktrace / EMAIL uses Self-Learning AI to understand the behavior and patterns of every user, so it can detect the subtle inconsistencies that reveal a message isn’t genuine, from shifts in tone and writing style to unexpected links, unfamiliar senders, or off-brand visual cues. By identifying these anomalies automatically – and either holding them entirely, or neutralizing malicious elements – it removes the burden from employees to catch near-imperceptible errors and reinforces protection for the entire organization, from staff to customers to brand reputation.

Join our live broadcast on 9 December, where Darktrace will reveal new, industry-first innovations in email security keeping organizations safe this Christmas – from DMARC to DLP. Sign up to the live launch event now.

For a deeper dive into some specific Black Friday phishing campaigns surfaced by the Darktrace threat analysis team, read the follow-up blog here.

A note on methodology

Insights derive from anonymous live data across 6,500 customers protected by Darktrace / EMAIL. Darktrace created models tracking verified phishing emails that:

  • Explicitly mentioned Black Friday
  • Impersonated US retailers popular during the holiday season (Walmart, Target, Best Buy, Macy's, Old Navy, 1800-Flowers)
  • Impersonated major global brands (Apple, eBay, Netflix, Alibaba and PayPal)

Tracking ran from October 1 to November 21.

References

[1] Based on live tracking of phishing emails spoofing Walmart, Target, Best Buy, Macy's, Old Navy, 1800-Flowers across email inboxes protected by Darktrace.  November 15 – November 21, 2025

[2] Based on analysis of 30.4 million phishing emails between December 21, 2023, and December 18, 2024. Darktrace Annual Threat Report 2024.

[related-resource]

Continue reading
About the author
Carlos Gray
Senior Product Marketing Manager, Email
Your data. Our AI.
Elevate your network security with Darktrace AI