Improve threat detection, investigation, and response against Business Email Compromise (BEC) attacks that bypass traditional defenses
Protect your users from stealthy BEC attacks
10,000
Darktrace customers
BEC trends
Detecting BEC threats is harder than ever
BEC attacks generally abuse email to trick employees into releasing funds or sensitive data.
But unlike generic phishing emails, modern BEC campaigns use social engineering techniques which don’t rely on users’ clicking bogus links or downloading malicious attachments – making them more likely to slip past traditional email defenses.
And generative AI is making this type of advanced social engineering easier to carry out at scale.
Why Darktrace?
BEC detection requires behavioral, context-driven analysis
Because BEC attacks can use pure social engineering and can omit payloads entirely, identifying them requires a business-centric approach – one that doesn’t focus on the attack.
Spots novel threats
Darktrace’s AI builds profiles for every email user, including their relationships, tone and sentiment, content, and link-sharing patterns, so it can identify deviations from their usual patterns that might signal a threat
Expands on attack-centric security
Builds on your native email security’s attack-focused approach by adding a layer of business-centric behavioral anomaly detection across inbound, outbound, and lateral messages in both email and Teams
Bespoke analysis
Darktrace asks different questions of every email – not, does this look like an attack, but, is this a normal message for this sender to receive, based on its content and context?
Protection that extends beyond the inbox
In the modern digital era, you’ve got to plan for a potential breach. If an account is compromised via BEC, you need to contain the damage, fast. Darktrace provides defense in depth, multi-layered security for every user.
Stop account takeover
Detect unusual behavior based on login data, inbox rule-setting, and other subtle indicators, and block attempts by attackers to launch malicious emails.
Defending Microsoft Teams
Microsoft Teams is a growing entry vector for phishing and social engineering scams. Darktrace analyzes the content and context of every Teams message to understand if it poses a threat, catching both payloads and payloadless social engineering, including “pretexting”.
Stops both insider threats and external attacks
Even if a suspicious message comes from a trusted user, Darktrace analyzes it against the behavioral profile of that user, protecting organizations from internal and supply chain risk
Simplified investigations
Darktace alerts suspicious Teams messages to the SOC in a unified platform with email alerts, granting a full picture of the scope of an attack
Correlates Teams with email and accounts
Signals from Teams help augment Darktrace’s understanding of a user, improving detection across the organization
Threat story: BEC
How we stopped a BEC attack
BEC attacks are so damaging due to the difficulty of detection for traditional security systems. BEC does not require much technical sophistication to accomplish; rather, it exploits humans’ natural trust in known correspondents.
Threat story: BEC
How we stopped a BEC attack
BEC attacks are so damaging due to the difficulty of detection for traditional security systems. BEC does not require much technical sophistication to accomplish; rather, it exploits humans’ natural trust in known correspondents.
Initial infection
Threat actors sent a phishing email from an unknown sender which bypassed native email security and successfully reached the user.
Because Darktrace was configured in passive mode, it was not able to carry out any actions on this anomalous email to prevent it from landing in the user’s inbox.
User compromised
The threat actor gained access to the targeted user’s identity and made unusual logins to the customer’s SaaS environment from several VPN IP addresses and different versions of the same software, indicating different actors behind the simultaneous account activity.
At this stage, Darktrace flagged the anomalous activity and opened an investigation in the global SOC.
Internal reconnaissancere
The attacker then accessed several different files over SharePoint.
Darktrace identified that the files observed during this anomalous activity referenced financial information and personnel schedules, suggesting that the attacker was performing internal reconnaissance.
SOC intervention
Although the actions taken by the attacker were mostly passive, Darktrace chained together the multiple anomalies, triaged the SaaS account activity in the Darktrace SOC, and alerted the customer.
Had Darktrace been enabled in Autonomous Response mode, it would have held the initial email and immediately taken action to disable the account after ongoing anomalies were detected from it.
Darktrace / NETWORK
How Darktrace protected Meridian Cooperative from ransomware
Darktrace / EMAIL caught many threats Meridian’s previous email tools missed.
“Over three months, our reporting showed Darktrace controlled 474 indicators of suspicious activity that posed a potential threat to our business.”
—Greg Gray, Chief Information Officer
Over 267 reviews on Gartner Peer Insights
Recommended resources
Real-world stories and strategies to combat BEC
White paper
Guide to Preventing BEC
Take a comprehensive look at evolving BEC tactics, with strategies for how to defend against this growing threat.
Customer story
Aviso
Read how a leading wealth services supplier achieved comprehensive visibility across email, network, and endpoints with Darktrace.
See Darktrace in action
Protect your business from ransomware. See what Darktrace AI finds in your environment.
ActiveAI Security Platform
Cyber resilience across the entire business
Business Email Compromise
Frequently asked questions
What is a Business Email Compromise (BEC) attack and how does it work?
A BEC attack is a type of cybercrime where attackers impersonate a trusted figure, like a company executive or vendor, via email to trick employees into transferring funds or sensitive data. It relies on social engineering rather than malware, making it difficult to detect with traditional security tools.
What are the most common types or examples of BEC attacks?
There are several types, including CEO fraud, vendor email compromise, payroll diversion, and invoice scams. In each case, the attacker poses as someone familiar and uses deceptive tactics to manipulate the recipient into acting, often applying pressure or urgency.
Can BEC attacks bypass traditional spam filters and antivirus software?
Yes. Because BEC emails often don’t contain malware or suspicious links, they can easily slip past standard filters. That’s why email security solutions that analyze user behavior, content, and context are essential to catch these sophisticated social engineering threats.
How does AI impact BEC attacks?
• On the attacker side, cyber-criminals are now using AI to craft more convincing emails, mimic writing styles, and automate the targeting of victims, which lowers the barrier to entry and makes BEC attacks harder to detect.
• On the defense side, AI-driven security solutions like Darktrace / EMAIL use multi-layered AI to identify anomalies in communication patterns, flag suspicious behavior, and stop BEC attacks in real time.
How can I recognize the signs of a BEC attack in my organization?
Common signs of a BEC attempt include unusual requests for credentials, wire transfers or gift cards, emails with slight domain spoofing (e.g. @yourc0mpany.com), sudden changes in payment details, and urgent language encouraging secrecy or haste.
How does Darktrace detect BEC attacks?
Darktrace uses AI to analyze the behavior of users, devices, and emails in real time. Instead of relying on static rules or known threat signatures, it builds a “pattern of life” for each user and detects the subtle deviations – such as unusual email tone, timing, or relationships – that may indicate a BEC attack, even if no malicious links or attachments are present.
How does Darktrace detect pure social engineering without payloads?
Because Darktrace builds a continuous picture of every user and sender’s normal behavior, it excels at identifying anomalies. It detects social engineering tactics by evaluating language patterns, conversation history, behavioral context, and unusual sender-recipient dynamics. This allows it to flag suspicious emails ,even if the email contains no traditional indicators of compromise.
How does Darktrace’s email security protect automatically against BEC attacks?
Darktrace / EMAIL uses AI to not only detect but also autonomously respond to BEC threats in real time. When an attack is identified, it can take protective actions such as holding or modifying emails, rewriting URLs, stripping attachments, or alerting security teams – stopping the threat before it reaches the inbox or causes harm.
What actions does Darktrace take if an account is compromised through BEC?
Darktrace is designed to detect the subtle symptoms of an account compromise, such as unusual outbound activity, attempting lateral movement, or accessing sensitive files. If detected, it can take autonomous actions to contain the threat such as limiting email actions, locking accounts, or isolating affected devices from the network.
How quickly can Darktrace respond to a BEC incident?
Darktrace responds in real time. Our AI identifies threats as they emerge and can autonomously take action within seconds, long before a human analyst would typically be alerted. This speed is critical in stopping BEC attacks before financial or reputational damage occurs.
Can Darktrace protect against BEC attacks starting in Microsoft Teams?
Yes. Darktrace’s coverage extends beyond email to include collaboration tools like Microsoft Teams. Our AI analyzes chat content, behavioral anomalies, and unusual communication patterns within Teams to identify and mitigate potential social engineering attempts or lateral movement that originate through internal messaging channels.