Blog
/
Email
/
February 24, 2025

Detecting and Containing Account Takeover with Darktrace

Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
24
Feb 2025
Account takeovers are rising with SaaS adoption. Learn how Darktrace detects deviations in user behavior and autonomously stops threats before they escalate.

Thanks to its accessibility from anywhere with an internet connection and a web browser, Software-as-a-Service (SaaS) platforms have become nearly universal across organizations worldwide. However, with this growing popularity comes greater responsibility. Increased attention attracts a larger audience, including those who may seek to exploit these widely used services. One crucial factor to be vigilant about in the SaaS landscape is safeguarding internal credentials. Minimal protection on accounts can lead to SaaS hijacking, which could allow further escalations within the network.

How does SaaS account takeover work?

SaaS hijacking occurs when a malicious actor takes control of a user’s active session with a SaaS application. Attackers can achieve this through various methods, including employees using company credentials on compromised or spoofed external websites, brute-force attacks, social engineering, and exploiting outdated software or applications.

After the hijack, attackers may escalate their actions by changing email rules and using internal addresses for additional social engineering attacks. The larger goal of these actions is often to steal internal data, damage reputations, and disrupt operations.

Account takeover protection

It has become essential to have security tools capable of outsmarting potential malicious actors. Traditional tools that rely on rules and signatures may not be able to identify new events, such as logins or activities from a rare endpoint, unless they come from a known malicious source.

Darktrace relies on analysis of user and network behavior, tailored to each customer, allowing it to identify anomalous events that the user typically does not engage in. In this way, unusual SaaS activities can be detected, and unwanted actions can be halted to allow time for remediation before further escalations.

The following cases, drawn from the global customer base, illustrate how Darktrace detects potential SaaS hijack attempts and further escalations, and applies appropriate actions when necessary.

Case 1: Unusual login after a phishing email

A customer in the US received a suspicious email that seemed to be from the legitimate file storage service, Dropbox. However, Darktrace identified that the reply-to email address, hremployeepyaroll@mail[.]com, was masquerading as one associated with the customer’s Human Resources (HR) department.

Further inspection of this sender address revealed that the attacker had intentionally misspelled ‘payroll’ to trick recipients into believing it was legitimate

Furthermore, the subject of the email indicated that the attackers were attempting a social engineering attack by sharing a file related to pay raises and benefits to capture the recipients' attention and increase the likelihood of their targets engaging with the email and its attachment.

Figure 1: Subject of the phishing email.
Figure 1: Subject of the phishing email.

Unknowingly, the recipient, who believed the email to be a legitimate HR communication, acted on it, allowing malicious attackers to gain access to the account. Following this, the recipient’s account was observed logging in from a rare location using multi-factor authentication (MFA) while also being active from another more commonly observed location, indicating that the SaaS account had been compromised.

Darktrace’s Autonomous Response action triggered by an anomalous email received by an internal user, followed by a failed login attempt from a rare external source.
Figure 2: Darktrace’s Autonomous Response action triggered by an anomalous email received by an internal user, followed by a failed login attempt from a rare external source.

Darktrace subsequently observed the SaaS actor creating new inbox rules on the account. These rules were intended to mark as read and move any emails mentioning the file storage company, whether in the subject or body, to the ‘Conversation History’ folder. This was likely an attempt by the threat actor to hide any outgoing phishing emails or related correspondence from the legitimate account user, as the ‘Conversation History’ folder typically goes unread by most users.

Typically, Darktrace / EMAIL would have instantly placed the phishing email in the junk folder before they reached user’s inbox, while also locking the links identified in the suspicious email, preventing them from being accessed. Due to specific configurations within the customer’s deployment, this did not happen, and the email remained accessible to the user.

Case 2: Login using unusual credentials followed by password change

In the latter half of 2024, Darktrace detected an unusual use of credentials when a SaaS actor attempted to sign into a customer’s Microsoft 365 application from an unfamiliar IP address in the US. Darktrace recognized that since the customer was located within the Europe, Middle East, and Africa (EMEA) region, a login from the US was unexpected and suspicious. Around the same time, the legitimate account owner logged into the customer’s SaaS environment from another location – this time from a South African IP, which was commonly seen within the environment and used by other internal SaaS accounts.

Darktrace understood that this activity was highly suspicious and unlikely to be legitimate, given one of the IPs was known and expected, while the other had never been seen before in the environment, and the simultaneous logins from two distant locations were geographically impossible.

Model alert in Darktrace / IDENTITY: Detecting a login from a different source while the user is already active from another source.
Figure 3: Model alert in Darktrace / IDENTITY: Detecting a login from a different source while the user is already active from another source.

Darktrace detected several unusual login attempts, including a successful login from an uncommon US source. Subsequently, Darktrace / NETWORK identified the device associated with this user making external connections to rare endpoints, some of which were only two weeks old. As this customer had integrated Darktrace with Microsoft Defender, the Darktrace detection was enriched by Defender, adding the additional context that the user had likely been compromised in an Adversary-in-the-Middle (AiTM) phishing attack. AiTM phishing attacks occur when a malicious attacker intercepts communications between a user and a legitimate authentication service, potentially leading to account hijacking. These attacks are harder to identify as they can bypass security measures like MFA.

Following this, Darktrace observed the attacker using the now compromised credentials to access password management and change the account's password. Such behavior is common in account takeover incidents, as attackers seek to maintain persistence within the SaaS environment.

While Darktrace’s Autonomous Response was not fully configured on the customer’s SaaS environment, they were subscribed to the Managed Threat Detection service offered by Darktrace’s Security Operations Center (SOC). This 24/7 service ensures that Darktrace’s analysts monitor and investigate emerging suspicious activity, informing customers in real-time. As such, the customer received notification of the compromise and were able to quickly take action to prevent further escalation.

Case 3: Unusual logins, new email rules and outbound spam

Recently, Darktrace has observed a trend in SaaS compromises involving unusual logins, followed by the creation of new email rules, and then outbound spam or phishing campaigns being launched from these accounts.

In October, Darktrace identified a SaaS user receiving an email with the subject line "Re: COMPANY NAME Request for Documents" from an unknown sender using a freemail  account. As freemail addresses require very little personal information to create, threat actors can easily create multiple accounts for malicious purposes while retaining their anonymity.

Within the identified email, Darktrace found file storage links that were likely intended to divert recipients to fraudulent or malicious websites upon interaction. A few minutes after the email was received, the recipient was seen logging in from three different sources located in the US, UK, and the Philippines, all around a similar time. As the customer was based in the Philippines, a login from there was expected and not unusual. However, Darktrace understood that the logins from the UK and US were highly unusual, and no other SaaS accounts had connected from these locations within the same week.

After successfully logging in from the UK, the actor was observed updating a mailbox rule, renaming it to ‘.’ and changing its parameters to move any inbound emails to the deleted items folder and mark them as read.

Figure 4: The updated email rule intended to move any inbound emails to the deleted items folder.

Malicious actors often use ambiguous names like punctuation marks, repetitive letters, and unreadable words to name resources, disguising their rules to avoid detection by legitimate users or administrators. Similarly, attackers have been known to adjust existing rule parameters rather than creating new rules to keep their footprints untracked. In this case, the rule was updated to override an existing email rule and delete all incoming emails. This ensured that any inbound emails, including responses to potential phishing emails sent by the account, would be deleted, allowing the attacker to remain undetected.

Over the next two days, additional login attempts, both successful and failed, were observed from locations in the UK and the Philippines. Darktrace noted multiple logins from the Philippines where the legitimate user was attempting to access their account using a password that had recently expired or been changed, indicating that the attacker had altered the user’s original password as well.

Following this chain of events, over 500 emails titled “Reminder For Document Signed Agreement.10/28/2024” were sent from the SaaS actor’s account to external recipients, all belonging to a different organization within the Philippines.

These emails contained rare attachments with a ‘.htm’ extension, which included programming language that could initiate harmful processes on devices. While inherently not malicious, if used inappropriately, these files could perform unwanted actions such as code execution, malware downloads, redirects to malicious webpages, or phishing upon opening.

Outbound spam seen from the hijacked SaaS account containing a ‘.htm’ attachment.
Figure 5: Outbound spam seen from the hijacked SaaS account containing a ‘.htm’ attachment.

As this customer did not have Autonomous Response enabled for Darktrace / IDENTITY, the unusual activity went unattended, and the compromise was able to escalate to the point of a spam email campaign being launched from the account.

In a similar example on a customer network in EMEA, Darktrace detected unusual logins and the creation of new email rules from a foreign location through a SaaS account. However, in this instance, Autonomous Response was enabled and automatically disabled the compromised account, preventing further malicious activity and giving the customer valuable time to implement their own remediation measures.

Conclusion

Whether it is an unexpected login or an unusual sequence of events – such as a login followed by a phishing email being sent – unauthorized or unexpected activities can pose a significant risk to an organization’s SaaS environment. The threat becomes even greater when these activities escalate to account hijacking, with the compromised account potentially providing attackers access to sensitive corporate data. Organizations, therefore, must have robust SaaS security measures in place to prevent data theft, ensure compliance and maintain continuity and trust.

The Darktrace suite of products is well placed to detect and contain SaaS hijack attempts at multiple stages of an attack. Darktrace / EMAIL identifies initial phishing emails that attackers use to gain access to customer SaaS environments, while Darktrace / IDENTITY detects anomalous SaaS behavior on user accounts which could indicate they have been taken over by a malicious actor.

By identifying these threats in a timely manner and taking proactive mitigative measures, such as logging or disabling compromised accounts, Darktrace prevents escalation and ensures customers have sufficient time to response effectively.

Credit to Min Kim (Cyber Analyst) and Ryan Traill (Analyst Content Lead)

Appendices

Darktrace Model Detections Case 1

SaaS / Compromise / SaaS Anomaly Following Anomalous Login

SaaS / Compromise / Unusual Login and New Email Rule

SaaS / Compliance / Anomalous New Email Rule

SaaS / Unusual Activity / Multiple Unusual SaaS Activities

SaaS / Access / Unusual External Source for SaaS Credential Us

SaaS / Compromise / Login From Rare Endpoint While User is Active

SaaS / Email Nexus / Unusual Login Location Following Link to File Storage

Antigena / SaaS / Antigena Email Rule Block (Autonomous Response)

Antigena / SaaS / Antigena Suspicious SaaS Activity Block (Autonomous Response)

Antigena / SaaS / Antigena Enhanced Monitoring from SaaS User Block (Autonomous Response)

List of Indicators of Compromise (IoCs)

176.105.224[.]132 – IP address – Unusual SaaS Activity Source

hremployeepyaroll@mail[.]com – Email address – Reply-to email address

MITRE ATT&CK Mapping

Cloud Accounts – DEFENSE EVASION, PERSISTENCE, PRIVILEGE ESCALATION, INITIAL ACCESS – T1078

Outlook Rules – PERSISTENCE – T1137

Cloud Service Dashboard – DISCOVERY – T1538

Compromise Accounts – RESOURCE DEVELOPMENT – T1586

Steal Web Session Cookie – CREDENTIAL ACCESS – T1539

Darktrace Model Detections Case 2

SaaS / Compromise / SaaS Anomaly Following Anomalous Login

SaaS / Compromise / Unusual Login and Account Update

Security Integration / High Severity Integration Detection

SaaS / Access / Unusual External Source for SaaS Credential Use

SaaS / Compromise / Login From Rare Endpoint While User Is Active

SaaS / Compromise / Login from Rare High Risk Endpoint

SaaS / Access / M365 High Risk Level Login

Antigena / SaaS / Antigena Suspicious SaaS Activity Block (Autonomous Response)

Antigena / SaaS / Antigena Enhanced Monitoring from SaaS user Block (Autonomous Response)

List of IoCs

74.207.252[.]129 – IP Address – Suspicious SaaS Activity Source

MITRE ATT&CK Mapping

Cloud Accounts – DEFENSE EVASION, PERSISTENCE, PRIVILEGE ESCALATION, INITIAL ACCESS – T1078

Cloud Service Dashboard – DISCOVERY – T1538

Compromise Accounts – RESOURCE DEVELOPMENT – T1586

Steal Web Session Cookie – CREDENTIAL ACCESS – T1539

Darktrace Model Detections Case 3

SaaS / Compromise / Unusual Login and Outbound Email Spam

SaaS / Compromise / New Email Rule and Unusual Email Activity

SaaS / Compromise / Unusual Login and New Email Rule

SaaS / Email Nexus / Unusual Login Location Following Sender Spoof

SaaS / Email Nexus / Unusual Login Location Following Link to File Storage

SaaS / Email Nexus / Possible Outbound Email Spam

SaaS / Unusual Activity / Multiple Unusual SaaS Activities

SaaS / Email Nexus / Suspicious Internal Exchange Activity

SaaS / Compliance / Anomalous New Email Rule

List of IoCs

95.142.116[.]1 – IP Address – Suspicious SaaS Activity Source

154.12.242[.]58 – IP Address – Unusual Source

MITRE ATT&CK Mapping

Cloud Accounts – DEFENSE EVASION, PERSISTENCE, PRIVILEGE ESCALATION, INITIAL ACCESS – T1078

Compromise Accounts – RESOURCE DEVELOPMENT – T1586

Email Accounts – RESOURCE DEVELOPMENT – T1585

Phishing – INITIAL ACCESS – T1566

Outlook Rules – PERSISTENCE – T1137

Internal Spear phishing – LATERAL MOVEMENT - T1534

Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Author
Min Kim
Cyber Security Analyst
Book a 1-1 meeting with one of our experts
Share this article

More in this series

No items found.

Blog

/

Network

/

March 21, 2025

Cyberhaven Supply Chain Attack: Exploiting Browser Extensions

Default blog imageDefault blog image

The evolution of supply chain attacks

Supply chain attacks are becoming increasingly sophisticated. As network defenses improve, threat actors continuously adapt and refine their tactics, techniques, and procedures (TTPs) to achieve their goals. In recent years, this has led to a rise in the exploitation of trusted services and software, including legitimate browser extensions. Exploitation of these extensions can provide adversaries with a stealthy means to infiltrate target networks and access high-value accounts undetected.

A notable example of this trend was the compromise of the Cyberhaven Chrome extension at the end of 2024. This incident appeared to be part of a broader campaign targeting multiple Chrome browser extensions, highlighting the evolving nature of supply chain attacks [1].

What is Cyberhaven?

Cyberhaven, a US-based data security organization, experienced a security breach on December 24, 2024, when a phishing attack reportedly compromised one of their employee's credentials [2]. This allowed attackers to publish a malicious version of the Cyberhaven Chrome extension, which exfiltrated cookies and authenticated sessions from targeted websites. The malicious extension was active from December 25 to December 26 – a time when most businesses and employees were out of office and enjoying the festive period, a fact not lost on threat actors. The attackers, likely a well-organized and financially motivated group, compromised more than 30 additional Chrome extensions, affecting more than 2.6 million users [3]. They used sophisticated phishing techniques to authorize malicious OAuth applications, bypassing traditional security measures and exploiting vulnerabilities in OAuth authorizations. The primary motive appeared to be financial gain, targeting high-value platforms like social media advertising and AI services [4].

In late December 2024, multiple Darktrace customers were compromised via the Cyberhaven Chrome extension; this blog will primarily focus on Darktrace / NETWORK detections from one affected customer.

Darktrace’s coverage of Cyberhaven compromises

On December 26, 2024, Darktrace identified a series of suspicious activities across multiple customer environments, uncovering a structured attack sequence that progressed from initial intrusion to privilege escalation and data exfiltration. The attack was distributed through a malicious update to the Cyberhaven Chrome extension [2]. The malicious update established a foothold in customer environments almost immediately, leading to further anomalies.

As with other Chrome browser extensions, Cyberhaven Chrome extensions were updated automatically with no user interaction required. However, in this instance, the automatic update included a malicious version which was deployed to customer environments. This almost immediately introduced unauthorized activity, allowing attackers to establish a foothold in customer networks. The update allowed attackers to execute their objectives in the background, undetected by traditional security tools that rely on known indicators of compromise (IoCS) rather than identifying anomalies.

While multiple customer devices were seen connecting to cyberhaven[.]io, a legitimate Cyberhaven domain, Darktrace detected persistent beaconing behavior to cyberhavenext[.]pro, which appeared to be attempting to masquerade as another legitimate Cyberhaven domain. Darktrace recognized this activity as unusual, triggering several model alerts in Darktrace / NETWORK to highlight the persistent outbound connections to the suspicious domain.

Further analysis of external connectivity patterns indicated  an increase in anomalous HTTP requests alongside this beaconing activity. Multiple open-source intelligence (OSINT) sources also suggest that the cyberhavenext[.]pro endpoint is associated with malicious activities [5].

Darktrace / NETWORK’s detection of beaconing activity to cyberhavenext[.]pro
Figure 1: Darktrace / NETWORK’s detection of beaconing activity to cyberhavenext[.]pro

Analysis using Darktrace’s Advanced Search revealed that some of these connections were directed to the suspicious external IP address 149.28.124[.]84. Further investigation confirmed that the IP correlated with two SSL hostnames, including the malicious cyberhavenext[.]pro, further reinforcing its connection to the attack infrastructure.

Darktrace Advanced Search analysis showing the IP address 149.28.124[.]84 correlating to two SSL hostnames, one of which is cyberhavenext[.]pro.
Figure 2: Darktrace Advanced Search analysis showing the IP address 149.28.124[.]84 correlating to two SSL hostnames, one of which is cyberhavenext[.]pro.

Between December 23 and December 27, Darktrace observed sustained beaconing-like activity from affected devices on the customer’s network.

Darktrace’s detection of beaconing activities from a customer device to the endpoint 149.28.124[.]84 between December 23 and December 27.
Figure 3: Darktrace’s detection of beaconing activities from a customer device to the endpoint 149.28.124[.]84 between December 23 and December 27.

Darktrace observed 27 unique devices connecting to the malicious command-and-control (C2) infrastructure as far back as December 3. While most connections were brief, they represented an entry point for malicious activity. Over a two-day period, two devices transmitted 5.57 GiB of incoming data and 859.37 MiB of outgoing data, generating over 3 million log events across SSL, HTTP, and connection data.

Subsequent analysis identified a significant increase in unauthorized data transfers to the aforementioned 149.28.124[.]84 IP on another customer network, highlighting the potential broader impact of this compromise. The volume and frequency of these transfers suggested that attackers were leveraging automated data collection techniques, further underscoring the sophistication of the attack.

Darktrace’s detection of the likely exfiltration of 859.37 MiB to the endpoint 149.28.124[.]84.
Figure 4: Darktrace’s detection of the likely exfiltration of 859.37 MiB to the endpoint 149.28.124[.]84.

External research suggested that once active, the Cyberhaven extension would begin silently collecting session cookies and authentication tokens, specifically targeting high-value accounts such as Facebook Ads accounts [4]. Darktrace’s analysis of another affected customer noted many HTTP POST connections directed to a specific URI ("ai-cyberhaven"), while GET requests contained varying URIs prefixed with "/php/urlblock?args=AAAh....--redirect." This activity indicated an exfiltration mechanism, consistent with techniques observed in other compromised Chrome extensions. By compromising session cookies, attackers could potentially gain administrative access to connected accounts, further escalating their privileges [4].

Conclusion

This incident highlights the importance of monitoring not just endpoint security, but also cloud and browser-based security solutions, as attackers increasingly target these trusted and oft overlooked vectors.

Ultimately, by focusing on anomaly detection and behavioral analysis rather than static signatures and lists of ‘known bads’, Darktrace was able to successfully detect devices affected by the Cyberhaven Chrome browser extension compromise, by identifying activity that would likely have been considered legitimate and benign by traditional security solutions.

This compromise also serves as a reminder that supply chain attacks are not limited to traditional software vendors. Browser extensions, cloud-based applications, and SaaS services are equally vulnerable, as evidenced by Darktrace's detection of Balada Injector malware exploiting WordPress vulnerabilities to gain unauthorized network access [6]. Therefore, increased targeting of browser-based security tools, and a greater exploitation of OAuth and session hijacking techniques are to be expected. Attackers will undoubtedly refine their methods to infiltrate legitimate vendors and distribute malicious updates through trusted channels. By staying informed, vigilant, and proactive, organizations can mitigate exposure to evolving supply chain threats and safeguard their critical assets from emerging browser-based attack techniques.

Credit to Rajendra Rushanth (Cyber Analyst) Justin Torres (Senior Cyber Analyst) and Ryan Traill (Analyst Content Lead)

Appendices

Darktrace Model Detections

·       Compromise / Beaconing Activity To External Rare (AP: C2 Comms)

·       Compromise / Beacon for 4 Days (AP: C2 Comms)

·       Compromise / HTTP Beaconing to Rare Destination (AP: C2 Comms)

·       Device / Suspicious Domain (AP: C2 Comms, AP: Tooling)

·       Compromise / Sustained TCP Beaconing Activity To Rare Endpoint (AP: C2 Comms)

·       Anomalous Server Activity / Rare External from Server (AP: C2 Comms)

·       Anomalous Connection / Multiple Failed Connections to Rare Endpoint (AP: C2 Comms)

·       Anomalous Server Activity / Anomalous External Activity from Critical Network Device (AP: C2 Comms)

·       Compromise / Slow Beaconing Activity To External Rare (AP: C2 Comms)

·       Compromise / Repeating Connections Over 4 Days (AP: C2 Comms)

·       Anomalous Connection / Multiple HTTP POSTs to Rare Hostname (AP: C2 Comms)

·       Anomalous Server Activity / Outgoing from Server (AP: C2 Comms)

·       Compromise / High Volume of Connections with Beacon Score (AP: C2 Comms)

·       Compromise / Large Number of Suspicious Failed Connections (AP: C2 Comms)

·       Email Nexus / Connection to Hijacked Correspondent Link

·       Compromise / Suspicious TLS Beaconing To Rare External (AP: C2 Comms)

·       Compromise / Quick and Regular Windows HTTP Beaconing (AP: C2 Comms)

List of IoCs

IoC - Type - Description + Confidence

cyberhavenext[.]pro - Hostname - Used for C2 communications and data exfiltration (cookies and session tokens)

149.28.124[.]84 - IP - Associated with malicious infrastructure

45.76.225[.]148 - IP - Associated with malicious infrastructure

136.244.115[.]219 - IP - Associated with malicious infrastructure

MITRE ATT&CK Mapping

Tactic – Technique – Sub-Technique

INITIAL ACCESS - T1176 - Browser Extensions

EXECUTION - T1204.002 - Malicious Browser Extensions

PERSISTENCE - T1176 - Browser Extensions

COMMAND AND CONTROL - T1071.001 - Web Protocols

COMMAND AND CONTROL - T1001 - Data Obfuscation

CREDENTIAL ACCESS - T1539 - Steal Web Session Cookie

DISCOVERY - T1518.001 - Security Software Discovery

LATERAL MOVEMENT - T1557.003 - Man-in-the-Browser

EXFILTRATION - T1041 - Exfiltration Over C2 Channel

EXFILTRATION - T1567.002 - Exfiltration to Cloud Storage

IMPACT - T1583.006 - Session Hijacking

References

[1] https://thehackernews.com/2024/12/16-chrome-extensions-hacked-exposing.html

[2] https://www.cyberhaven.com/blog/cyberhavens-chrome-extension-security-incident-and-what-were-doing-about-it

[3] https://www.infosecurity-magazine.com/news/chrome-browser-extensions-hijacked/

[4] https://www.theverge.com/2024/12/28/24330758/chrome-extension-cyberhaven-hijack-phishing-cyberattack-facebook-ads-authentication-theft

[5] https://www.virustotal.com/gui/domain/cyberhavenext.pro

[6] https://darktrace.com/blog/balada-injector-darktraces-investigation-into-the-malware-exploiting-wordpress-vulnerabilities

Continue reading
About the author
Rajendra Rushanth
Cyber Analyst

Blog

/

Email

/

March 19, 2025

Global Technology Provider Transforms Email Threat Detection with Darktrace

Default blog imageDefault blog image

At a glance

  • Within just one month of using Darktrace / EMAIL, the volume of suspicious emails requiring analyst attention dropped by 75%, saving analysts 45 hours per month on analysis and investigation.
  • By offloading most manual, repetitive tasks to Darktrace / EMAIL, the company’s skilled security analysts can focus on developing new capabilities and tackling more complex, rewarding projects.
  • Darktrace recently detected and blocked a highly sophisticated and personalized phishing email that spoofed a Microsoft SharePoint and Teams website and used advanced engineering to impersonate the school of an employee’s family member.
  • The transition from the incumbent solution to Darktrace / EMAIL was seamless and undetectable to the company’s vast of customers and partners, reinforcing the security organization’s role as a business enabler—protecting the company and reducing risk without adding friction.

Securing a complex, distributed business without disruption

The company remains at the forefront of technological innovation and transformation; however, its success and ambitions come with the challenges of managing a distributed global business—balancing digital advancements, existing technology investments, and evolving compliance requirements.

Optimizing a complex tech stack for scalable growth

The organization operates a diverse technology stack spanning Windows, Mac, Linux, and multiple cloud environments, creating a complex and challenging IT landscape. The company’s Chief Information Security Officer (CISO) emphasizes the need for efficiency and agility. “Our goal is to scale and deliver new capabilities without increasing headcount, ensuring that costs remain proportionate to growth.”

Balancing security, governance, and business agility

Committed to responsible practices, this industry leader prioritizes secure and trustworthy technology for its customers who rely on its solutions. “Balancing business agility with governance is a constant challenge," said the CISO. "There’s always a natural push and pull, which I believe is healthy—but achieving the right balance is delicate.”

Protecting critical workflows without impacting productivity

For the organization, email is much more than just a communication tool. “Email plays a critical role in our engineering workflows and is fundamental to how we build our products.” Because of this, the company is extremely cautious about implementing any solution that could introduce friction or disrupt productivity. “There is zero tolerance for disruption, which is why we take a deliberate and methodical approach when evaluating, selecting, and deploying our tools and solutions,” he said.  

More than a vendor: A security partner invested in success

To ensure an optimal security infrastructure, the enterprise security team regularly evaluates market technologies to their existing solutions. With the rapidly evolving threat landscape, the CISO said they “wanted to validate whether we still had best-in-class protection and the right controls in place to secure our organization. It was about assessing whether we could do better in our ongoing effort to fine-tuning our approach to achieve the best possible outcome.”

The team evaluated 15 different email security vendors based on the following criteria:

  1. Efficacy to detect threats
  2. Ability to integrate with existing tooling
  3. Ease of use
  4. A vendor’s approach to partnership  

They initially narrowed the list to five vendors, conducting demo sessions for deeper evaluations before selecting three finalists for a proof of value (POV). We analyzed actual malicious emails with each vendor to assess the accuracy of their detections, allowing for an objective comparison,” said the CISO. Through this rigorous process, the Darktrace / EMAIL security solution emerged as the best fit for their business. “Darktrace’s product performed well and showed a genuine commitment to partnering with us in the long-term to ensure our success.”

The team objectively understood where there were gaps across the different vendors, where they were strong, and where they could use improvement. “Based on the analysis, we knew that Darktrace / EMAIL could deliver as the data supported it, in our specific use cases.  

Partnership, integrity and respect

Throughout the evaluation process, the importance of partnership and mutual respect remained an essential factor to the CISO. “I wanted a company we could develop a long-term strategic partnership with, one that could extend far deeper than just email.” A key factor in choosing Darktrace was the commitment and engagement of its team at every level of the organization. “Darktrace showed integrity, patience and a genuine investment in building a strong relationship with my team.  That's why we're here today.”

“Together, we've delivered some fantastic outcomes”

For the organization, Darktrace / EMAIL has played a crucial role in reducing risk, empowering analysts, and enabling a lean, effective security strategy. “Together, we've delivered some fantastic outcomes,” said the CISO.  

Reducing risk. Empowering analysts

“Within that first month, we saw a 75% drop in suspicious emails that that required manual review, which reduced the time my team spent analyzing and investigating by 45 hours per month,” said the CISO. The security team values Darktrace / EMAIL not only for its ease of use but also for the time it frees up for more meaningful work. “Giving my team the opportunity to tackle complex challenges they enjoy and find more stimulating is important to me.” As they continue to fine-tune and optimize balance levels within Darktrace / EMAIL, he expects even greater efficiency gains in the coming months.

Maximizing protection while staying lean

It’s important for the security group to be proportionate with their spending, said the CISO. “It's all about what is enough security to enable the business. And that means, as our organization grows, it's important that we are as lean and as efficient as possible to deliver the best outcomes for the business.”  Embracing an AI-powered automated approach is an essential component to achieving that goal. By offloading most manual, repetitive tasks to Darktrace / EMAIL, the company’s skilled security analysts can focus on more strategic and proactive initiatives that enable the business.  

Protecting employees from advanced social engineering threats

Recently, Darktrace detected a malicious email targeting an employee, disguised as a spoofed Microsoft SharePoint and Teams website. What made this attack particularly sophisticated was its personalization — it impersonated the school where the employee’s family member attended. Unlike mass malicious emails sent to thousands of people, this was a highly targeted attack, leveraging advanced social engineering tactics to exploit connections within the education system and between family members.  

Protecting without disrupting

A seamless migration is often overlooked but is critical to success for any organization, said the CISO. With a wide ecosystem of partners, email is a highly visible, business-critical function for the organization — "any friction or downtime would have an immediate impact and could throttle the entire business,” he said. However, the transition from their previous solution to Darktrace / EMAIL was exceptionally smooth. “No one realized we changed providers because there was no disruption — no incidents at all. I cannot emphasize just how important that is when I'm trying to position our security organization as an enabling function for the business that protects and reduces risk without adding friction.”

A security partnership for the future

“To survive as a business over the next few years, adopting AI is no longer optional—it’s essential,” said the CISO. However, with the cybersecurity market becoming increasingly saturated, selecting the right solutions and vendors can be overwhelming. He stresses the importance of choosing strategic partners who not only deliver the outcomes you need, but also deeply understand your organization’s unique environment. “You’re only as strong as your partners. Technology innovation and the cybersecurity market are always changing.  At some point every solution will face a challenge—it’s inevitable. The differentiator will be how people respond when that happens.”  

Continue reading
About the author
The Darktrace Community
Your data. Our AI.
Elevate your network security with Darktrace AI