Darktrace's Cyber AI Platform swiftly detects and alerts on anomalous behavior in Microsoft 365 accounts in real-time.
Cyber-criminals are increasingly impersonating trusted SaaS platforms and suppliers with their attacks. Recently, Darktrace has detected threats leveraging QuickBooks, WeTransfer and Microsoft Teams brand names. Many of these emails attempt to coax a recipient into clicking a malicious link that leads to a page containing credential-harvesting malware. This blog post demonstrates a possible next phase in an attack – what happens after an employee enters their details on this malicious webpage and has their account compromised.
Even just one compromised internal account can greatly increase the success rate of a phishing campaign. Attackers can use a compromised Microsoft 365 account to gain access to multiple other accounts within hours.
Darktrace’s AI was monitoring over 9,000 devices at a leading technology firm in the APAC region when one employee became victim to a Microsoft 365 account takeover over the weekend. This account was then used to send hundreds of phishing emails to both internal and external contacts. Darktrace detected the early signs of account compromise and raised a high-confidence alert to the security team well before these emails were sent. If the security team had acted quickly in response to the alert, the delivery of the phishing emails – and a second account compromise – could have been avoided.
Timeline of the attack
Figure 1: A timeline of the attack
We can see in the timeline that the attacker only spent three hours performing research before acting. This raises questions on the nature of this threat. Was the attack automated? Had the attacker done preliminary research? Did they know what they were after?
A bespoke and targeted attack
Darktrace first alerted to the security incident when the AI detected that someone was logging in from an unusual geographical location, promptly setting up new inbox rules, and viewing several shared files. The attacker then proceeded to send out over 200 phishing emails to internal and external recipients.
The emails contained a link to a Microsoft OneDrive landing page titled “Contract & Proposal – Customer,” indicating the page was specifically built for this attack. The page contained a phishing link hidden under the display text “Click to Review Fax Document.” Less than one hour after the phishing emails were sent, Darktrace’s AI detected an an unusual login from the same IP to a second account in the organization, indicating this account had likely also been compromised.
How did the attack bypass the rest of the security stack?
The attacker leveraged compromised M365 credentials, with the initial entry likely via compromised credentials from a previous phishing campaign before Darktrace’s AI was deployed;
Traditional email security software trusts internal emails;
Phishing emails contained a OneDrive link, a trusted SaaS platform, so other email security products would not have identified these links as suspicious.
AI Analyst investigates
The technology firm had deployed Darktrace’s Enterprise Immune System across their network and SaaS applications, and consequently had real-time visibility across every event in this attack as it unfolded. Additionally, when the unusual login location was detected, Darktrace’s Cyber AI Analyst immediately launched an automated investigation into the malicious activity, generating a natural language summary of the events and other crucial information to help with incident review.
Figure 2: An excerpt of Cyber AI Analyst’s report of the account hijack
Darktrace’s SaaS Console also reported on the event in the context of activity on that device over the previous week.
Figure 3: Darktrace’s SaaS dashboard displaying an overview of the incident
This attack is another example of the changing nature of cyber-threats in the context of digital transformation. It is not devices, but identities that are increasingly being targeted and attacked.
Darktrace’s real-time alerting on the evolving situation could have enabled the security team to isolate the initial compromised account and change the credentials before the attack escalated further. The initial rare login destination caused Darktrace’s Cyber AI Analyst to launch an ongoing investigation into the compromised account, such that an alert was raised just three minutes after new processing rules were set up by the attacker. With eyes on the technology, a more serious breach could have been avoided, and the breach remeditated in minutes.
Thanks to Darktrace analyst Stefan Rowe for his insights on the above threat find.
For eight more case studies of cyber-threats detected within SaaS environments, read the White Paper.
IoCs:
IoCCommentcovingtonok[.]buzzUsed to host fake login page
Darktrace model detections:
SaaS / Unusual External Source for SaaS Credential Use
SaaS / New Email
SaaS / Unusual Login and New Email Rule
SaaS / Anomalous Exchange Activity
Like this and want more?
Receive the latest blog in your inbox
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Newsletter
Enjoying the blog?
Sign up to receive the latest news and insights from the Darktrace newsletter – delivered directly to your inbox
Thanks for signing up!
Look out for your first newsletter, coming soon.
Oops! Something went wrong while submitting the form.
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Author
Max Heinemeyer
Global Field CISO
Max is a cyber security expert with over a decade of experience in the field, specializing in a wide range of areas such as Penetration Testing, Red-Teaming, SIEM and SOC consulting and hunting Advanced Persistent Threat (APT) groups. At Darktrace, Max is closely involved with Darktrace’s strategic customers & prospects. He works with the R&D team at Darktrace, shaping research into new AI innovations and their various defensive and offensive applications. Max’s insights are regularly featured in international media outlets such as the BBC, Forbes and WIRED. Max holds an MSc from the University of Duisburg-Essen and a BSc from the Cooperative State University Stuttgart in International Business Information Systems.
Survey Findings: AI Cybersecurity Priorities and Objectives in 2025
AI is changing the cybersecurity field, both on the offensive and defensive sides. We surveyed over 1,500 cybersecurity professionals from around the world to uncover their attitudes, understanding, and priorities when it comes to AI cybersecurity in 2025. Our full report, unearthing some telling trends, is available now.
It is clear that security professionals know their field is changing fast, and that AI will continue to influence those changes. Our survey results show that they are aware that the rise of AI will require them to adopt new tools and learn to use them effectively. Still, they aren’t always certain about how to plan for the future, or what to invest in.
The top priorities of security stakeholders for improving their defenses against AI-powered threats include augmenting their existing tool stacks with AI-powered solutions and improving integration among their security tools.
Figure 1: Year-over-year changes to the priorities of securitystakeholders.
Increasing cybersecurity staff
As was also the case last year, security stakeholders are less interested in hiring additional staff than in adding new AI-powered tools onto their existing security stacks, with only with 11% (and only 8% of executives) planning to increase cybersecurity staff in 2025.
Adding AI-powered security tools to supplement existing solutions
Executives are particularly enthusiastic about adopting AI-driven tools. Within that goal, there is consensus about the qualities cyber professionals are looking for when purchasing new security capabilities or replacing existing products.
87% of survey respondents prefer solutions that are part of a broader platform over individual point products
These results are similar to last year’s, where again, almost nine out of ten agreed that a platform-oriented security solution was more effective at stopping cyber threats than a collection of individual products.
88% of survey respondents agree that the use of AI within the security stack is critical to freeing up time for security teams to become more proactive, compared to reactive
AI itself can contribute to this shift from reactive to proactive security, improving risk prioritization and automating preventative strategies like Attack Surface Management (ASM) and proactive exposure management.
84% of survey respondents prefer defensive AI solutions that do not require the organization’s data to be shared externally
This preference may reflect increasing attention to the data privacy and security risks posed by generative AI (gen AI) adoption. It may also reflect growing awareness of data residency requirements and other restrictions that regulators are imposing.
Improving cybersecurity awareness training for end users
Based on the survey results, practitioners in SecOps are more interested in improving security awareness training.
This goal is not necessarily mutually exclusive from the addition of AI tools. For example, teams can leverage AI to build more effective security awareness training programs, and as gen AI tools are adopted, users will need to be taught about data privacy and associated security risks.
Looking towards the future
One conclusion we can draw from the attitudinal shifts from last year’s survey to this year’s: while hiring more security staff might be a nice-to-have, implementing AI-powered tools so that existing employees can work smarter is increasingly viewed as a must-have.
However, trending goals are not just about managing resources, whether headcount or AI investments, to keep up with workloads. Existing end users must also be trained to follow safe practices while using established and newly adopted tools.
Security professionals, including executives, SecOps, and every role in between, continue to shift their identified challenges and priorities as they gear up for the coming year in the Era of AI.
The full report for Darktrace’s State of AI Cybersecurity is out now. Download the paper to dig deeper into these trends, and see how results differ by industry, region, organization size, and job title.
Supply chain attacks are becoming increasingly sophisticated. As network defenses improve, threat actors continuously adapt and refine their tactics, techniques, and procedures (TTPs) to achieve their goals. In recent years, this has led to a rise in the exploitation of trusted services and software, including legitimate browser extensions. Exploitation of these extensions can provide adversaries with a stealthy means to infiltrate target networks and access high-value accounts undetected.
A notable example of this trend was the compromise of the Cyberhaven Chrome extension at the end of 2024. This incident appeared to be part of a broader campaign targeting multiple Chrome browser extensions, highlighting the evolving nature of supply chain attacks [1].
What is Cyberhaven?
Cyberhaven, a US-based data security organization, experienced a security breach on December 24, 2024, when a phishing attack reportedly compromised one of their employee's credentials [2]. This allowed attackers to publish a malicious version of the Cyberhaven Chrome extension, which exfiltrated cookies and authenticated sessions from targeted websites. The malicious extension was active from December 25 to December 26 – a time when most businesses and employees were out of office and enjoying the festive period, a fact not lost on threat actors. The attackers, likely a well-organized and financially motivated group, compromised more than 30 additional Chrome extensions, affecting more than 2.6 million users [3]. They used sophisticated phishing techniques to authorize malicious OAuth applications, bypassing traditional security measures and exploiting vulnerabilities in OAuth authorizations. The primary motive appeared to be financial gain, targeting high-value platforms like social media advertising and AI services [4].
In late December 2024, multiple Darktrace customers were compromised via the Cyberhaven Chrome extension; this blog will primarily focus on Darktrace / NETWORK detections from one affected customer.
Darktrace’s coverage of Cyberhaven compromises
On December 26, 2024, Darktrace identified a series of suspicious activities across multiple customer environments, uncovering a structured attack sequence that progressed from initial intrusion to privilege escalation and data exfiltration. The attack was distributed through a malicious update to the Cyberhaven Chrome extension [2]. The malicious update established a foothold in customer environments almost immediately, leading to further anomalies.
As with other Chrome browser extensions, Cyberhaven Chrome extensions were updated automatically with no user interaction required. However, in this instance, the automatic update included a malicious version which was deployed to customer environments. This almost immediately introduced unauthorized activity, allowing attackers to establish a foothold in customer networks. The update allowed attackers to execute their objectives in the background, undetected by traditional security tools that rely on known indicators of compromise (IoCS) rather than identifying anomalies.
While multiple customer devices were seen connecting to cyberhaven[.]io, a legitimate Cyberhaven domain, Darktrace detected persistent beaconing behavior to cyberhavenext[.]pro, which appeared to be attempting to masquerade as another legitimate Cyberhaven domain. Darktrace recognized this activity as unusual, triggering several model alerts in Darktrace / NETWORK to highlight the persistent outbound connections to the suspicious domain.
Further analysis of external connectivity patterns indicated an increase in anomalous HTTP requests alongside this beaconing activity. Multiple open-source intelligence (OSINT) sources also suggest that the cyberhavenext[.]pro endpoint is associated with malicious activities [5].
Figure 1:Darktrace / NETWORK’s detection of beaconing activity to cyberhavenext[.]pro
Analysis using Darktrace’s Advanced Search revealed that some of these connections were directed to the suspicious external IP address 149.28.124[.]84. Further investigation confirmed that the IP correlated with two SSL hostnames, including the malicious cyberhavenext[.]pro, further reinforcing its connection to the attack infrastructure.
Figure 2: Darktrace Advanced Search analysis showing the IP address 149.28.124[.]84 correlating to two SSL hostnames, one of which is cyberhavenext[.]pro.
Between December 23 and December 27, Darktrace observed sustained beaconing-like activity from affected devices on the customer’s network.
Figure 3: Darktrace’s detection of beaconing activities from a customer device to the endpoint 149.28.124[.]84 between December 23 and December 27.
Darktrace observed 27 unique devices connecting to the malicious command-and-control (C2) infrastructure as far back as December 3. While most connections were brief, they represented an entry point for malicious activity. Over a two-day period, two devices transmitted 5.57 GiB of incoming data and 859.37 MiB of outgoing data, generating over 3 million log events across SSL, HTTP, and connection data.
Subsequent analysis identified a significant increase in unauthorized data transfers to the aforementioned 149.28.124[.]84 IP on another customer network, highlighting the potential broader impact of this compromise. The volume and frequency of these transfers suggested that attackers were leveraging automated data collection techniques, further underscoring the sophistication of the attack.
Figure 4: Darktrace’s detection of the likely exfiltration of 859.37 MiB to the endpoint 149.28.124[.]84.
External research suggested that once active, the Cyberhaven extension would begin silently collecting session cookies and authentication tokens, specifically targeting high-value accounts such as Facebook Ads accounts [4]. Darktrace’s analysis of another affected customer noted many HTTP POST connections directed to a specific URI ("ai-cyberhaven"), while GET requests contained varying URIs prefixed with "/php/urlblock?args=AAAh....--redirect." This activity indicated an exfiltration mechanism, consistent with techniques observed in other compromised Chrome extensions. By compromising session cookies, attackers could potentially gain administrative access to connected accounts, further escalating their privileges [4].
Conclusion
This incident highlights the importance of monitoring not just endpoint security, but also cloud and browser-based security solutions, as attackers increasingly target these trusted and oft overlooked vectors.
Ultimately, by focusing on anomaly detection and behavioral analysis rather than static signatures and lists of ‘known bads’, Darktrace was able to successfully detect devices affected by the Cyberhaven Chrome browser extension compromise, by identifying activity that would likely have been considered legitimate and benign by traditional security solutions.
This compromise also serves as a reminder that supply chain attacks are not limited to traditional software vendors. Browser extensions, cloud-based applications, and SaaS services are equally vulnerable, as evidenced by Darktrace's detection of Balada Injector malware exploiting WordPress vulnerabilities to gain unauthorized network access [6]. Therefore, increased targeting of browser-based security tools, and a greater exploitation of OAuth and session hijacking techniques are to be expected. Attackers will undoubtedly refine their methods to infiltrate legitimate vendors and distribute malicious updates through trusted channels. By staying informed, vigilant, and proactive, organizations can mitigate exposure to evolving supply chain threats and safeguard their critical assets from emerging browser-based attack techniques.
Credit to Rajendra Rushanth (Cyber Analyst) Justin Torres (Senior Cyber Analyst) and Ryan Traill (Analyst Content Lead)
![Darktrace / NETWORK’s detection of beaconing activity to cyberhavenext[.]pro](https://cdn.prod.website-files.com/626ff4d25aca2edf4325ff97/67dc7499269bcc358b9aad33_Screenshot%202025-03-20%20at%201.03.14%E2%80%AFPM.png)
![Darktrace Advanced Search analysis showing the IP address 149.28.124[.]84 correlating to two SSL hostnames, one of which is cyberhavenext[.]pro.](https://cdn.prod.website-files.com/626ff4d25aca2edf4325ff97/67dc74e07eb5ef51eee6c6dd_Screenshot%202025-03-20%20at%201.04.30%E2%80%AFPM.png)
![Darktrace’s detection of beaconing activities from a customer device to the endpoint 149.28.124[.]84 between December 23 and December 27.](https://cdn.prod.website-files.com/626ff4d25aca2edf4325ff97/67dc7518caefb6d1f494c515_Screenshot%202025-03-20%20at%201.05.30%E2%80%AFPM.png)
![Darktrace’s detection of the likely exfiltration of 859.37 MiB to the endpoint 149.28.124[.]84.](https://cdn.prod.website-files.com/626ff4d25aca2edf4325ff97/67dc756dafea47eab5474512_Screenshot%202025-03-20%20at%201.06.47%E2%80%AFPM.png)