Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Brianna Luong (Leddy)
Sr. Technical Alliances Manager
Share
27
Sep 2022
Attackers have leveraged social engineering in several high-profile hacks in recent months, with organizations like Uber, Rockstar Games, Cloudflare, Cisco, and LastPass among the most well-known targets.
Social engineering is the manipulation of a user, often through fear or doubt, to coax them into actions like revealing credentials or other sensitive information. The threat landscape is teeming with social engineering attempts across all forms of digital messaging, including email, Slack, and SMS. Moreover, spear-phishing, watering hole attacks, and spoofing are growing increasingly sophisticated.
Organizations are taking numerous defensive measures in response. This includes ramping up security education efforts, as well as configuring multi-factor authentication (MFA). But while MFA strengthens security, it can still be thwarted by hackers, and security awareness training programs often yield mixed or disappointing results. Now, organizations are increasingly turning to artificial intelligence to stop cyber-attacks carried out through social engineering.
Since application-based transportation companies face distinct risks with their complex digital infrastructure, they require dynamic security solutions that adapt to evolving phishing techniques to guarantee reliable service to their customers. To that end, the Bluebird Group, the largest taxi service in Indonesia, has been using Darktrace to protect its email and cloud-based messaging since 2021.
“While we’ve pivoted and shown flexibility in the face of change, so too have the attackers,” said Sigit Djokosoetono, CEO at PT Blue Bird Tbk, a subsidiary of The Bluebird Group. “We’ve seen an uptick in attacks targeting cloud and SaaS applications, for example. Phishing emails are becoming more realistic and more frequent.”
Traditional email defenses lag behind contemporary social engineering threats because they rely on threat intelligence and collecting “deny-lists” of email domains and IP addresses already recognized as bad. But attackers can set up new domains for pennies and update infrastructure too frequently for this method to have effect.
Darktrace’s unique approach to cyber security stops these attacks. Self-Learning AI learns the who, what, when, and where of every email user’s communication patterns. This evolving and multi-dimensional understanding allows the AI to spot subtle signs of a social engineering attack, regardless of whether it is known or novel and regardless of the tactics in place.
If an employee’s credentials are used as part of a social engineering hack, Darktrace can identify the hacker’s malicious behavior. It then makes micro-decisions to neutralize the attack within seconds, stopping the offending message without disruption to the business.
“Darktrace’s AI-powered email security solution has reduced our email threats – such as spear phishing and spoofing – by 95% because it takes autonomous action to contain malicious emails before they reach a user. We can’t expect humans to spot the difference between a real and a fake anymore – it’s not sustainable,” said Djokosoetono.
More recently, social engineering has gone beyond email, and to other platforms like Slack and Microsoft Teams. This can be more difficult for security teams to manage. Darktrace takes a holistic approach to security and can be installed anywhere an organization has data. The various coverage areas are united through the Self-Learning AI, which looks at every area of the digital estate to reveal the full scope of an attack, even as the attacker traverses multiple digital environments.
“For our employees, a weight is lifted from their shoulders,” said Djokosoetono. “When it comes to something like phishing emails, training on how to spot these is important but we simply cannot put the onus on humans to spot these well-researched, targeted email attacks. With AI in place, we’re stopping these threats before humans have to deal with them."
Darktrace’s AI is always-on and works at machine-speed to protect companies, so employees can focus on producing their best work without the constant fear of malicious messaging.
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
From VPS to Phishing: How Darktrace Uncovered SaaS Hijacks through Virtual Infrastructure Abuse
Darktrace identified coordinated SaaS account compromises across multiple customer environments. The incidents involved suspicious logins from VPS-linked infrastructure followed by unauthorized inbox rule creation and deletion of phishing-related emails. These consistent behaviors across devices point to a targeted phishing campaign leveraging virtual infrastructure for access and concealment. Discover how Darktrace uncovered this activity and what it means for the future of SaaS security.
Defending the Cloud: Stopping Cyber Threats in Azure and AWS with Darktrace
This blog examines three real-world cloud-based attacks in Azure and AWS environments, including credential compromise, data exfiltration, and ransomware detonation. Learn how Darktrace’s AI-driven threat detection and Autonomous Response capabilities help organizations defend against evolving threats in complex cloud environments.
Top Eight Threats to SaaS Security and How to Combat Them
SaaS security requires new methods to keep up with evolving threats and business infrastructure. In this blog, learn the top eight threats to identity security and how AI-based solutions can help.
Journey of a Threat: How Multi-Layered AI Works in Darktrace / EMAIL
Darktrace / EMAIL is an implementation of the Darktrace methodology – a multi-layered AI system built into a single product. As with other Darktrace products, Darktrace / EMAIL learns the expected behaviours of an organization and its employees to identify novel threats and anomalous activity.
The diagram below represents the architecture of Darktrace / EMAIL’s multi-layered AI: a structured visualization of how intelligence is built, step by step, from raw data to actionable insight. Each layer plays a distinct role, feeding into the next: collecting data, understanding behaviour, analysing intent, making decisions, and presenting clear outcomes.
It all starts with an email
In this blog, we’ll follow a malicious email as it passes through the Darktrace / EMAIL system, showing exactly what happens as it travels through each layer of the pyramid, from basic data extraction to AI-powered metric creation, and finally deciding on any autonomous actions.
Let’s take this example email. As an end-user, you can see that this is an obvious extortion attempt where an adversary is threatening legal action if money isn’t paid within 24 hours, but how does Darktrace figure that out?
Part 1: Data Gathering
Processing of an email begins on point-of-transit for all inbound, outbound, or lateral emails. The first step is to extract information directly. This includes taking information from the headers (such as sending and receiving addresses, sender IP address, routing, and authentication protocols), as well as extraction of raw HTML and CSS data from the email itself.
This directly extracted information only allows for immediate surface level analysis, such as identifying signature-based attacks (known malicious addresses / domains), but is insufficient for identifying novel threats, complex attacks, or potential email or vendor compromise. This is where Darktrace’s AI analysis shines.
In this example, the SPF, DKIM, and DMARC authentication all passed successfully, showing that even malicious emails can still bypass these signature-based checks. Even with this success, Darktrace will continue to analyse the email.
Diving deeper into the technical information, we can see further information extracted from the headers, including aggregations from the header information, historical calculations such as the frequency and volume of emails to and from a particular domain, and much more.
Part 2: Social Graphing
Social Graphing involves the analysis of sending and receiving behaviours of different mailboxes to create peer-groups. Mailboxes who often send and receive to and from the same mailboxes, or exhibit other correlated behaviours, will be clustered together using a collection of unsupervised AI clustering systems. These groups may represent uses in the same teams who perform similar activity, groups of external facing mailboxes which often receive unsolicited emails, or groups of VIP users (such as C-suite or executives).
Social graphing is an essential component of Darktrace’s pattern of life analysis. This clustering allows Darktrace to understand the responsibilities of individuals – for example, behaviours which are anomalous for one group of users may be completely expected of another group.
In our example, the email was sent to 3 different users within the organization. As part of the social graphing, an “Association Anomaly” is calculated which indicates the likelihood that these users would receive emails from this user or domain, based on historical patterns.
Part 3: Metric Calculation
Metrics are calculated for every email, representing more complex characteristics of an email which can’t be directly extracted. Darktrace / EMAIL features over 1000 unique metrics, calculated both algorithmically and using an ensemble of AI systems.
Algorithmically calculated (non-AI) metrics include further historical calculations, and counts of features such as code blocks, and hidden text, to name a few.
AI-driven metrics include Inducement Classification which uses Natural Language Processing to identify potential phishing, solicitation, or extortion attempts; Named Entity Recognition to identify PII and other sensitive data within an email to support Data Loss Prevention; and many more.
We can follow our example email through this process and view the outcome of these metric calculations. Looking at the language metrics for this email, we can see that our email has reported a high extortion inducement, along with identification of banking information and language indicating urgency.
Part 4: Evaluation and Combination Engine (models)
Once all metrics have been calculated for an email, it gets sent to an evaluation and combination engine where the metrics are compared against blocks of logic to determine if an email contains a threat. One key model which alerted for this example message was a model to tag and block extortion attempts.
Since our example email has a high inducement score for extortion, along the presence of a bitcoin wallet address in the message, this model alerts. When a model in the engine is activated, actions are taken – in this case adding a tag to the email to flag it as extortion in the console and hold the email to prevent it from reaching the end-user mailbox.
Part 5: Meta-Modelling and Actions
Once the models have been run, the actions are taken against the email. If the email hasn’t been blocked or held, this is the point where it will reach the end-user's mailbox.
In the Darktrace / EMAIL UI, all actions models which alerted for an email and actions taken as a result can be seen. At the top of this page, you can see the alert indicating an extortion attempt along with the action to hold the message.
Alongside this, a meta-classifier is used to calculate an overall anomaly score for each email, based on how much the email differs from the pattern of life for the user. The score of the email is boosted by any actions that have taken place.
Part 6: Campaign Clustering
All emails are passed through the Darktrace / EMAIL campaign clustering system. This system creates clusters based on related features within the emails to identify groups of emails with the same sender or intent.
In our case, the email was identified as part of a campaign, alongside other emails which were also identified as extortion attempts against a small group of recipients.
Email campaigns may have additional actions applied to them if the campaign is deemed malicious, and in this case, you can see that the autonomous response was to hold all emails in the campaign. This means that if an email manages to avoid being blocked in the evaluation and combination engine but gets identified as part of the campaign, the hold action will be applied to it retroactively.
Part 7: Cyber AI Analyst
Darktrace’s Cyber AI Analyst presents key information and anomaly indicators for each email, such as further information about authentication, specific metrics, or other identified anomalies and mismatches.
Cyber AI Analyst can also utilize data from Darktrace / EMAIL to enhance its investigation of incidents from other Darktrace products, correlating relevant information to build a fuller picture. More information about the Cyber AI Analyst is available in the Darktrace AI Arsenal.
Part 8: Data Presentation (UI)
Once all processing has taken place against the email, it is presented in the Darktrace / EMAIL UI. Here, members of the SOC team can investigate incidents and anomalies, interact with malicious emails to see why they were blocked, and much more.
Our email stands out here with its 100 anomaly score. Every email which passes through a Darktrace / EMAIL will undergo the same thorough and rigorous analysis to identify potential risks, apply autonomous actions where required, and will ultimately be assigned a score to be displayed here. By providing a single overall score in the UI, rather than presenting emails in full, Darktrace / EMAIL allows SOC teams to more easily identify which emails are most important to investigate, increasing efficiency and reducing alert fatigue.
Take the next step
Many email security tools on the market that claim to be AI-driven are in fact bolting AI onto attack-centric approaches, which rely on automating the identification of known threats. These approaches struggle, and will continue to struggle, with adapting to novel, AI-generated threats.
By analyzing every email within its deeply integrated, multi-layered AI system, Darktrace / EMAIL is able to identify the subtle threats that others miss. This depth not only improves detection accuracy, but enables confident, autonomous action, giving security teams clearer insight into AI outcomes and greater control while supporting users.
We believe the combination of these two signals is important. One reflects how the market is evaluated. The other reflects how technology performs in practice.
Why Darktrace continues to be recognized as a leader
We believe our position as a Leader for the second consecutive year reflects a combination of our sustained ability to execute in NDR, continued AI innovation, and proven delivery of security outcomes for customers and partners worldwide.
Organizations are no longer protecting a single network perimeter. They are securing a mix of users, devices, applications, and data that move across hybrid environments.
Darktrace has focused on maintaining visibility and detection across these conditions, allowing security teams to understand activity as it scales.
Supporting organizations globally, not just technically
Security outcomes are shaped as much by deployment and support as they are by detection capability.
Darktrace continues to invest in regional presence across 29 countries around the world, helping organizations operationalize NDR in ways that align with local requirements, internal processes, and team structures.
Continuing to push AI beyond detection
AI in cybersecurity is often positioned as a way to improve detection accuracy. But the more important shift is how AI can influence decision-making and response.
Darktrace continues to develop models that learn from both live environments and historical incident data, combining real-time behavioral analysis with insights derived from prior attack patterns.
Using technologies such as the Incident Graph and DIGEST (Darktrace Incident Graph Evaluation for Security Threats), activity is not analyzed in isolation. Instead, relationships between users, devices, connections, and events are mapped over time, allowing the system to reconstruct how an incident is unfolding and how similar incidents have progressed in the past.
By evaluating these patterns, Darktrace can assess the likelihood that an incident will escalate, prioritizing the activity that poses the greatest risk and surfacing the most relevant context for investigation.
This shifts security operations from simply identifying anomalies to understanding their trajectory, helping teams anticipate potential impact and respond earlier with greater precision.
Why NDR is shifting from reactive detection to proactive, AI-driven security
Traditional approaches to NDR have been built around reactively identifying threats once they become clearly visible. That model is increasingly difficult to rely on.
Attackers are no longer operating in ways that stand out. They use valid credentials, trusted tools, and low-and-slow techniques that blend into everyday activity. By the time something looks obviously malicious, the impact is often already underway.
This is the core limitation of reactive detection. It depends on recognizing something that already looks like a threat.
As a result, many of the most consequential incidents today fall into a gap.
Insider activity, compromised credentials, and novel attacks rarely trigger traditional alerts because they do not follow known patterns. On the surface, they often appear legitimate, making them difficult to distinguish from normal behavior without deeper context.
This is why we believe this Gartner recognition reflects a broader shift in NDR toward autonomous, proactive and pre‑emptive security operations.
By understanding normal behavior within an environment, it is possible to identify subtle deviations rather than waiting for confirmation of threats as they are taking place.
Darktrace’s Self-Learning AI is designed for behavioral understanding. By continuously learning each organization’s normal patterns, it can detect deviations in real time, enabling a proactive and pre-emptive model of NDR where security teams can respond to early signs of risk as they emerge, reducing the window in which attacks can develop.
In multiple cases, this behavioral approach has led to early threat detection where Darktrace identified completely unknown threats, including pre-CVE zero-day activity. By detecting subtle behavioral changes before vulnerabilities were publicly disclosed or widely understood, organizations can mitigate threats before they do damage.
This shift is subtle but important. Modern NDR solutions must shift from a system that explains what happened to one that helps prevent threats from developing in the first place, and Darktrace is proud to be at the forefront of this shift - helping organizations build and maintain a state of proactive network resilience.
Continuing to innovate at the forefront of NDR
In our view, recognition as a Leader reflects where the market is today. Continuing to innovate defines what comes next.
As businesses evolve, new technologies like AI tools and agents introduce new security risks and challenges; security teams need more than simple detection. They need a complete understanding of risk as it develops, the ability to investigate it in context, and to contain threats at machine speed.
Darktrace / NETWORK is built to deliver across that full spectrum. Its Self-Learning AI continuously adapts to each organization’s environment, identifying subtle behavioral changes that signal emerging threats. Integrated investigation and autonomous response reduce the time between detection and action, allowing teams to move with greater speed and confidence.
This combination enables organizations to detect and contain known, unknown, and insider threats as they develop, while also strengthening resilience over time.
As a two-time Leader in the Gartner® Magic Quadrant™ for NDR and the only 2025 Gartner® Peer Insights™ Customers’ Choice, we feel Darktrace continues to evolve its platform to meet the demands of modern environments, delivering a more complete and adaptive approach to network security.
[related-resource]
Disclaimer: The 2026 Gartner® Magic Quadrant™ for Network Detection and Response (NDR) ,The 2026 Gartner® Magic Quadrant™ for Network Detection and Response (NDR), Thomas Lintemuth, Charanpal Bhogal, Nahim Fazal, 18 May 2026.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Magic Quadrant is a registered trademark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved.
.jpg)
