Protect your users from stealthy BEC attacks
Improve threat detection, investigation, and response against Business Email Compromise (BEC) attacks that bypass traditional defenses

Detecting BEC threats is harder than ever
BEC attacks generally abuse email to trick employees into releasing funds or sensitive data.
But unlike generic phishing emails, modern BEC campaigns use social engineering techniques which don’t rely on users’ clicking bogus links or downloading malicious attachments – making them more likely to slip past traditional email defenses.
And generative AI is making this type of advanced social engineering easier to carry out at scale.
of cybersecurity breaches involve “pretexting” – creating a fabricated scenario to manipulate someone into divulging sensitive information
of emails observed by Darktrace used novel social engineering techniques
BEC detection requires behavioral, context-driven analysis
Protection that extends beyond the inbox
Defending Microsoft Teams
Microsoft Teams is a growing entry vector for phishing and social engineering scams. Darktrace analyzes the content and context of every Teams message to understand if it poses a threat, catching both payloads and payloadless social engineering, including “pretexting”.
Even if a suspicious message comes from a trusted user, Darktrace analyzes it against the behavioral profile of that user, protecting organizations from internal and supply chain risk
Darktace alerts suspicious Teams messages to the SOC in a unified platform with email alerts, granting a full picture of the scope of an attack
Signals from Teams help augment Darktrace’s understanding of a user, improving detection across the organization

How we stopped a BEC attack
This is the default text value
Initial infection
Threat actors sent a phishing email from an unknown sender which bypassed native email security and successfully reached the user.
Because Darktrace was configured in passive mode, it was not able to carry out any actions on this anomalous email to prevent it from landing in the user’s inbox.
User compromised
The threat actor gained access to the targeted user’s identity and made unusual logins to the customer’s SaaS environment from several VPN IP addresses and different versions of the same software, indicating different actors behind the simultaneous account activity.
At this stage, Darktrace flagged the anomalous activity and opened an investigation in the global SOC.
Internal reconnaissancere
The attacker then accessed several different files over SharePoint.
Darktrace identified that the files observed during this anomalous activity referenced financial information and personnel schedules, suggesting that the attacker was performing internal reconnaissance.
SOC intervention
Although the actions taken by the attacker were mostly passive, Darktrace chained together the multiple anomalies, triaged the SaaS account activity in the Darktrace SOC, and alerted the customer.
Had Darktrace been enabled in Autonomous Response mode, it would have held the initial email and immediately taken action to disable the account after ongoing anomalies were detected from it.
Why Meridian Cooperative chose Darktrace for BEC protection
Darktrace / EMAIL caught many threats Meridian’s previous email tools missed.
“Over three months, our reporting showed Darktrace controlled 474 indicators of suspicious activity that posed a potential threat to our business.”
—Greg Gray, Chief Information Officer
of security incidents automatically triaged or contained

analyst hours saved in just 13 working days
average time taken to respond autonomously to threats

Over 267 reviews on Gartner Peer Insights
Real-world stories and strategies to combat BEC

Guide to Preventing BEC
Take a comprehensive look at evolving BEC tactics, with strategies for how to defend against this growing threat.

Aviso
Read how a leading wealth services supplier achieved comprehensive visibility across email, network, and endpoints with Darktrace.

BEC in the Era of AI
Discover why only multilayered, defense-in-depth strategies can counter the AI-powered BEC threat.
See Darktrace in action
Protect your organization from BEC attacks. See what Darktrace’s AI can find in your environment

Cyber resilience across the entire business
/ NETWORK
/ NUBE
/ OT
/ IDENTIDAD
/ ENDPOINT
Frequently asked questions
A BEC attack is a type of cybercrime where attackers impersonate a trusted figure, like a company executive or vendor, via email to trick employees into transferring funds or sensitive data. It relies on social engineering rather than malware, making it difficult to detect with traditional security tools.
There are several types, including CEO fraud, vendor email compromise, payroll diversion, and invoice scams. In each case, the attacker poses as someone familiar and uses deceptive tactics to manipulate the recipient into acting, often applying pressure or urgency.
Yes. Because BEC emails often don’t contain malware or suspicious links, they can easily slip past standard filters. That’s why email security solutions that analyze user behavior, content, and context are essential to catch these sophisticated social engineering threats.
• On the attacker side, cyber-criminals are now using AI to craft more convincing emails, mimic writing styles, and automate the targeting of victims, which lowers the barrier to entry and makes BEC attacks harder to detect.
• On the defense side, AI-driven security solutions like Darktrace / EMAIL use multi-layered AI to identify anomalies in communication patterns, flag suspicious behavior, and stop BEC attacks in real time.
Common signs of a BEC attempt include unusual requests for credentials, wire transfers or gift cards, emails with slight domain spoofing (e.g. @yourc0mpany.com), sudden changes in payment details, and urgent language encouraging secrecy or haste.
Darktrace uses AI to analyze the behavior of users, devices, and emails in real time. Instead of relying on static rules or known threat signatures, it builds a “pattern of life” for each user and detects the subtle deviations – such as unusual email tone, timing, or relationships – that may indicate a BEC attack, even if no malicious links or attachments are present.
Because Darktrace builds a continuous picture of every user and sender’s normal behavior, it excels at identifying anomalies. It detects social engineering tactics by evaluating language patterns, conversation history, behavioral context, and unusual sender-recipient dynamics. This allows it to flag suspicious emails ,even if the email contains no traditional indicators of compromise.
Darktrace / EMAIL uses AI to not only detect but also autonomously respond to BEC threats in real time. When an attack is identified, it can take protective actions such as holding or modifying emails, rewriting URLs, stripping attachments, or alerting security teams – stopping the threat before it reaches the inbox or causes harm.
Darktrace is designed to detect the subtle symptoms of an account compromise, such as unusual outbound activity, attempting lateral movement, or accessing sensitive files. If detected, it can take autonomous actions to contain the threat such as limiting email actions, locking accounts, or isolating affected devices from the network.
Darktrace responds in real time. Our AI identifies threats as they emerge and can autonomously take action within seconds, long before a human analyst would typically be alerted. This speed is critical in stopping BEC attacks before financial or reputational damage occurs.
Yes. Darktrace’s coverage extends beyond email to include collaboration tools like Microsoft Teams. Our AI analyzes chat content, behavioral anomalies, and unusual communication patterns within Teams to identify and mitigate potential social engineering attempts or lateral movement that originate through internal messaging channels.