Protect your users from stealthy BEC attacks

Improve threat detection, investigation, and response against Business Email Compromise (BEC) attacks that bypass traditional defenses

Get a demo
10,000
Clientes de Darktrace
BEC trends

Detecting BEC threats is harder than ever

BEC attacks generally abuse email to trick employees into releasing funds or sensitive data.

But unlike generic phishing emails, modern BEC campaigns use social engineering techniques which don’t rely on users’ clicking bogus links or downloading malicious attachments – making them more likely to slip past traditional email defenses.

And generative AI is making this type of advanced social engineering easier to carry out at scale.

73%

of cybersecurity breaches involve “pretexting” – creating a fabricated scenario to manipulate someone into divulging sensitive information

Verizon 2024 Data Breach Investigation Report
38%

of emails observed by Darktrace used novel social engineering techniques

2024 Annual Threat Report
Why Darktrace?

BEC detection requires behavioral, context-driven analysis

Because BEC attacks can use pure social engineering and can omit payloads entirely, identifying them requires a business-centric approach – one that doesn’t focus on the attack.

Spots novel threats

Darktrace’s AI builds profiles for every email user, including their relationships, tone and sentiment, content, and link-sharing patterns, so it can identify deviations from their usual patterns that might signal a threat

Expands on attack-centric security

Builds on your native email security’s attack-focused approach by adding a layer of business-centric behavioral anomaly detection across inbound, outbound, and lateral messages in both email and Teams

Bespoke analysis

Darktrace asks different questions of every email – not, does this look like an attack, but, is this a normal message for this sender to receive, based on its content and context?

Learn more about our AI

Protection that extends beyond the inbox

In the modern digital era, you’ve got to plan for a potential breach. If an account is compromised via BEC, you need to contain the damage, fast. Darktrace provides defense in depth, multi-layered security for every user.  

Stop account takeover

Detect unusual behavior based on login data, inbox rule-setting, and other subtle indicators, and block attempts by attackers to launch malicious emails.

Protect all messaging channels

Stop phishing and social engineering across all collaboration channels, from Microsoft Teams to Slack, giving your workforce 360° protection and preventing data loss and fraud.

Extend security beyond email

A comprehensive BEC defense combines email, account, network, and data security. Darktrace combines visibility and protection of these domains in a single AI platform.

See the Darktrace platform

Defending Microsoft Teams

Microsoft Teams is a growing entry vector for phishing and social engineering scams. Darktrace analyzes the content and context of every Teams message to understand if it poses a threat, catching both payloads and payloadless social engineering, including “pretexting”.

Stops both insider threat and external attacks

Even if a suspicious message comes from a trusted user, Darktrace analyzes it against the behavioral profile of that user, protecting organizations from internal and supply chain risk

Simplified investigations

Darktace alerts suspicious Teams messages to the SOC in a unified platform with email alerts, granting a full picture of the scope of an attack

Correlates Teams with email and accounts

Signals from Teams help augment Darktrace’s understanding of a user, improving detection across the organization

Threat story: BEC

How we stopped a BEC attack

This is the default text value

BEC attacks are so damaging due to the difficulty of detection for traditional security systems. BEC does not require much technical sophistication to accomplish; rather, it exploits humans’ natural trust in known correspondents.
CTA1

Initial infection

Threat actors sent a phishing email from an unknown sender which bypassed native email security and successfully reached the user.

Because Darktrace was configured in passive mode, it was not able to carry out any actions on this anomalous email to prevent it from landing in the user’s inbox.

User compromised

The threat actor gained access to the targeted user’s identity and made unusual logins to the customer’s SaaS environment from several VPN IP addresses and different versions of the same software, indicating different actors behind the simultaneous account activity.

At this stage, Darktrace flagged the anomalous activity and opened an investigation in the global SOC.

Internal reconnaissancere

The attacker then accessed several different files over SharePoint.

Darktrace identified that the files observed during this anomalous activity referenced financial information and personnel schedules, suggesting that the attacker was performing internal reconnaissance.

SOC intervention

Although the actions taken by the attacker were mostly passive, Darktrace chained together the multiple anomalies, triaged the SaaS account activity in the Darktrace SOC, and alerted the customer.

Had Darktrace been enabled in Autonomous Response mode, it would have held the initial email and immediately taken action to disable the account after ongoing anomalies were detected from it.

Customer stories

Why Meridian Cooperative chose Darktrace for BEC protection

Darktrace / EMAIL caught many threats Meridian’s previous email tools missed.


“Over three months, our reporting showed Darktrace controlled 474 indicators of suspicious activity that posed a potential threat to our business.”


—Greg Gray, Chief Information Officer

Read the full story
95%
of security incidents automatically triaged or contained
500
analyst hours saved in just 13 working days
3.92s
average time taken to respond autonomously to threats

Over 267 reviews on Gartner Peer Insights

4.8
on Gartner Peer Insights
See what our real customers say!
"The email filtering is so efficient and accurate that no other tool can compete in the market."
System Security Engineer
IT Services
Read more
"Easy to use and does an excellent job at stopping threats from landing in people's mailboxes."
IT Security and Infrastructure Engineer
Construction
Read more
"Truly groundbreaking on detection and response to protect our users from malicious attacks."
 IT Administrator,
Construction
Read more
"Continuously adapt and understand communication patterns from within our own environment and individual users to detect even the most advance phishing or impersonation attempts."
Security Intel and Threat Hunting Manager
Energy and Utilities
Read more
"I can trust the product to block 99.999% of threats, and if something does slip through it is easy to remediate. "
IT Systems Engineer
Transportation
Read more
Recommended resources

Real-world stories and strategies to combat BEC

White paper

Guide to Preventing BEC

Take a comprehensive look at evolving BEC tactics, with strategies for how to defend against this growing threat.

Take a look now
Customer story

Aviso

Read how a leading wealth services supplier achieved comprehensive visibility across email, network, and endpoints with Darktrace.

Read how
Blog

BEC in the Era of AI

Discover why only multilayered, defense-in-depth strategies can counter the AI-powered BEC threat.

Discover now

See Darktrace in action

Protect your organization from BEC attacks. See what Darktrace’s AI can find in your environment

Get a demo
Contact us
ActiveAI Security Platform

Cyber resilience across the entire business

/ NETWORK

Vaya más allá de la NDR para lograr una seguridad proactiva

/ EMAIL

Seguridad de correo electrónico basada en IA nativa de la nube

/ NUBE

Proteja su nube en tiempo real

/ OT

Proteja sus entornos convergentes de TI y TO

/ IDENTIDAD

Supere las amenazas de identidad

/ ENDPOINT

Todos los dispositivos, en todas partes y en todo momento
FAQs

Frequently asked questions

What is a Business Email Compromise (BEC) attack and how does it work?

A BEC attack is a type of cybercrime where attackers impersonate a trusted figure, like a company executive or vendor, via email to trick employees into transferring funds or sensitive data. It relies on social engineering rather than malware, making it difficult to detect with traditional security tools.

What are the most common types or examples of BEC attacks?

There are several types, including CEO fraud, vendor email compromise, payroll diversion, and invoice scams. In each case, the attacker poses as someone familiar and uses deceptive tactics to manipulate the recipient into acting, often applying pressure or urgency.  

Can BEC attacks bypass traditional spam filters and antivirus software?

Yes. Because BEC emails often don’t contain malware or suspicious links, they can easily slip past standard filters. That’s why email security solutions that analyze user behavior, content, and context are essential to catch these sophisticated social engineering threats.

How does AI impact BEC attacks?

• On the attacker side, cyber-criminals are now using AI to craft more convincing emails, mimic writing styles, and automate the targeting of victims, which lowers the barrier to entry and makes BEC attacks harder to detect.  

• On the defense side, AI-driven security solutions like Darktrace / EMAIL use multi-layered AI to identify anomalies in communication patterns, flag suspicious behavior, and stop BEC attacks in real time.

How can I recognize the signs of a BEC attack in my organization?

Common signs of a BEC attempt include unusual requests for credentials, wire transfers or gift cards, emails with slight domain spoofing (e.g. @yourc0mpany.com), sudden changes in payment details, and urgent language encouraging secrecy or haste.

How does Darktrace detect BEC attacks?

Darktrace uses AI to analyze the behavior of users, devices, and emails in real time. Instead of relying on static rules or known threat signatures, it builds a “pattern of life” for each user and detects the subtle deviations – such as unusual email tone, timing, or relationships – that may indicate a BEC attack, even if no malicious links or attachments are present.

How does Darktrace detect pure social engineering without payloads?

Because Darktrace builds a continuous picture of every user and sender’s normal behavior, it excels at identifying anomalies. It detects social engineering tactics by evaluating language patterns, conversation history, behavioral context, and unusual sender-recipient dynamics. This allows it to flag suspicious emails ,even if the email contains no traditional indicators of compromise.

How does Darktrace’s email security protect automatically against BEC attacks?

Darktrace / EMAIL uses AI to not only detect but also autonomously respond to BEC threats in real time. When an attack is identified, it can take protective actions such as holding or modifying emails, rewriting URLs, stripping attachments, or alerting security teams – stopping the threat before it reaches the inbox or causes harm.

What actions does Darktrace take if an account is compromised through BEC?

Darktrace is designed to detect the subtle symptoms of an account compromise, such as unusual outbound activity, attempting lateral movement, or accessing sensitive files. If detected, it can take autonomous actions to contain the threat such as limiting email actions, locking accounts, or isolating affected devices from the network.

How quickly can Darktrace respond to a BEC incident?

Darktrace responds in real time. Our AI identifies threats as they emerge and can autonomously take action within seconds, long before a human analyst would typically be alerted. This speed is critical in stopping BEC attacks before financial or reputational damage occurs.

Can Darktrace protect against BEC attacks starting in Microsoft Teams?

Yes. Darktrace’s coverage extends beyond email to include collaboration tools like Microsoft Teams. Our AI analyzes chat content, behavioral anomalies, and unusual communication patterns within Teams to identify and mitigate potential social engineering attempts or lateral movement that originate through internal messaging channels.