Summary:
A recent phishing attack exploited an internal email account, but Darktrace’s AI quickly identified unusual activities, including the use of VPNs by the attacker. The incident underscores the vulnerabilities associated with SaaS platforms and the importance of proactive monitoring to detect and mitigate threats.
#PhishingAttack #SaaSSecurity #DarktraceAI
A recent phishing attack exploited an internal email account, but Darktrace’s AI quickly identified unusual activities, including the use of VPNs by the attacker. The incident underscores the vulnerabilities associated with SaaS platforms and the importance of proactive monitoring to detect and mitigate threats.
#PhishingAttack #SaaSSecurity #DarktraceAI
Keypoints:
Darktrace’s AI detected a phishing attack that compromised an internal email account.
The attacker used VPNs to mask their location and launched a phishing campaign.
Unusual login attempts were detected from an unfamiliar IP address.
The attacker created a new email rule to hide malicious communications.
Darktrace identified the use of a malicious DocSend link in phishing emails.
Proactive monitoring by Darktrace was crucial in recognizing the attack.
The incident highlights vulnerabilities in SaaS platforms and the need for enhanced security measures.
MITRE Techniques:
Initial Access (T1566): Utilizes phishing emails to compromise accounts.
Persistence (T1137.005): Creates email rules to maintain access and hide malicious activity.
Defense Evasion (T1078.004): Uses compromised accounts to evade detection.
Lateral Movement (T1534): Leverages email rules for further exploitation.
Resource Development (T1586): Develops email accounts for spearphishing campaigns.
Resource Development (T1586.002): Engages in internal spearphishing to propagate attacks.
IoC:
[IP] 5.62.57[.]7 – Unusual Login Source
[IP] 95.142.124[.]42 – Unusual Source for Email Rule
[Domain] hxxps://docsend[.]com/view/h9t85su8njxtugmq – Phishing Link
Full Research: https://darktrace.com/blog/behind-the-veil-darktraces-detection-of-vpn-exploitation-in-saas-environments