Finding the Needle in the Haystack: How AI Detects Business Email Compromise

Crucial exchanges with clients, company-wide event invites, strategizing your department’s end of quarter targets, even sharing an uplifting joke with your colleagues. All of these vital communications are conducted via one medium: email.

But, among the important coordination, team bonding, and exchange of innovative ideas, the typical user cannot always spot the disguised traps set by increasingly motivated threat-actors.

Sophisticated phishing and business email compromise campaigns are on the rise —according to Interpol’s 2020 ASEAN report, these types of attacks are among the top threats to the Southeast’s digital environments. The report also identified that ransomware, the notoriously damaging and expensive family of malware, is being delivered via email 94 percent of the time.

Given that organizations in the APAC region suffer ransomware at a rate 1.7 times higher than the global average, email security is becoming these organizations’ top priority.

Further, cyber-criminals are often not lone attackers — they are usually part of well-resourced crime units who know that employees are organizations’ weakest links. Exploiting the trust of just a single user can lead to a successful attack. The way in? Researching the target and sending a well-disguised email claiming to be from a colleague or other trusted source.

Fundamental to all email communication is the premise of trust itself. Employees believe that each email will go to the intended recipient and that each sender is who they claim to be. In the recent “Cozy Bear” attack, threat group APT29 targeted critical data on COVID-19 research and vaccines by launching phishing emails at users working in laboratories in the US, UK, and Canada. Though it is unclear how successful any possible data theft may have been, the attacker’s carefully crafted and targeted spear-phishing campaigns did land in countless users’ inboxes.

The dangerous reality of business email compromise is that everyone has a million different deadlines and targets they have to hit. The last thing on their mind is carefully checking the legitimacy of each email — particularly when over 100 emails a day is hardly unusual.

But being able to identify the legitimacy of emails is necessary, even if employees are unable to tell the real from the fake — as an academic institution in the APAC region found out to their detriment. Despite being armed with spam protection, URL protection, and the full Mimecast package across their email environment, they experienced an internal Microsoft 365 account compromise, which sent a fraudulent invoice to the organization’s accounts department.

The invoice, which contained subtly-edited bank details, claimed to be from Siemens, one of the world’s leading automation technology companies. Given this company’s position as an established supplier, the attack succeeded — and the academic institution unwittingly paid over $60,000 into an attacker’s bank account.

An attack such as this serves to highlight the scale and severity of emails threats — and also the limitations of existing defenses. A typical approach to email security would be to use Secure Email Gateway tools. These work by using lists of ‘known-bad’ IPs, domains, and file hashes to determine the legitimacy of each communication. While able to catch low-hanging fruit, today’s sophisticated attacks are increasingly getting through — especially when the sender is a company employee, and their attachment of an invoice from a well-known brand seems to contain no malicious links or unusual file hashes.

In the case of this Asian academic organization, they were not only hit with one Siemens spoofing attack but two. A week apart, the attacker had upped the stakes, asking for $78,000 instead of the initial $60,000. But by this time, the organization was fully prepared to match any threat, having deployed Darktrace’s Cyber AI security for email to take autonomous action and neutralize malicious activity.

Darktrace first detected something was amiss when a corporate SaaS account login occurred from an IP address located in the UAE — highly unusual activity for this particular Asian organization. The threat-actor then created an inbox processing rule, so any incoming emails from SIEMENS would be deleted and redirected to a separate email address, ensuring no competition for the company’s partnership budget.

The attacker then found an authentic email chain regarding an invoice from the domain They copied the exact format of the invoice and created a convincing spoofed domain, before setting up some fake correspondence between the newly created account and Patient Zero. Once complete, the cyber-criminal looped in the Accounts team with a new request. The exchange appeared legitimate: from a well-known supplier, and with the apparent ratification of a trusted colleague.

While the Accounts team may not have seen the threat, Darktrace’s Cyber AI did. It recognized the email as a fake reply to an alleged Siemens employee and immediately took autonomous action to hold back the emails from delivery — meaning that Accounts’ ability to tell legitimate communication from a scam didn’t have to be tested for the second time that week.

Darktrace’s Cyber AI for email works by taking a fundamentally new approach to cyber defense. Based on the human immune system, the world’s oldest defense mechanism, Antigena Email uses Darktrace’s core AI to learn what ‘self’ looks like for every internal and external user, analyzing both inbound, outbound, and lateral communications.

By treating recipients as dynamic individuals and peers, the AI uniquely spots subtle deviations from the norm that reveal seemingly benign emails to be unmistakably malicious. It asks whether it would be unusual for a recipient to interact with a given email, in the context of their regular ‘pattern of life’ and that of their peers and the wider organization. This contextual understanding enables the AI to make highly accurate decisions and neutralize the full range of email attacks.

As email continues to be a common cybercriminal modus operandi, organizations need AI to stop attacks before they escalate into a crisis — neutralizing all email-borne threats whenever and wherever they arise.

To find out more, visit