Blog
/

Inside the SOC

/
November 3, 2022

Uncover New Malicious Email Payloads in Google Translate

Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
03
Nov 2022
Discover how threat actors are concealing malicious email payloads within Google Translate domains. Learn how Darktrace responds to these attacks effectively.

Darktrace recently detected a new technique used by threat actors to deliver malicious email payloads. The malicious link was observed hidden within a legitimate domain, namely Google Translate services. To understand its abusive capabilities, it is important to first understand a benign case of how these links are created.  

Google often provides a ‘Translate this page’ option for sites written in a different language to the default browser language.

Figure 1: A google search result for an international company E.g ‘Crédit Agricole’ gives the option to translate the page from French to English.
Figure 2: When clicked, the browser displays a link with a translate[.]goog domain, and the original domain, credit-agricole[.]fr, becomes the link’s subdomain.

When this feature is exploited by threat actors it can be particularly dangerous, as legacy security products that rely on ‘known’ or ‘safe’ domain-based detection are likely to register these emails as safe and provide no protective actions. If a recipient were to click on the malicious link, they could risk losing their credentials or even compromising their machine. 

 In contrast, Darktrace/Email has been able to consistently identify and action emails from such campaigns. This blog will discuss one of these events.

The Campaign 

The apparent motive in this attack was to harvest credentials and/or deploy malware on the recipient’s device. Credential harvesting can lead to the sale of credentials on the dark web, or the attacker may choose to leverage those credentials in subsequent attacks. Both harvesting credentials and deploying malware have severe potential ramifications, including but not limited to sensitive company data leaks and financial loss. 

During this attack, the threat actor sent similar emails to a group of recipients in a short space of time. The recipients were not normally associated with each other and Darktrace swiftly identified them as unsolicited bulk mail. The new technique that was leveraged included using Google’s translate services to share malicious links using legitimate seeming domains. The malicious host was visible within the subdomain ‘636416-selcdn-ru[.]translate[.]goog’.  

When clicked, the link displays a google translate page stating, “Can’t translate this page”. There is then a hyperlink, “Go to original page”, that brings the user to the malicious host- 636416[.]selcdn[.]ru. Finally, the host displays a fake webmail portal login. If a user engages, the attacker can harvest their credentials to either sell or use in subsequent attacks.

Figure 3- The Google Translate page that is displayed once clicking on the full link within the email. The hyperlink at the bottom of the image is where the user is redirected by clicking “Go to original page”. It is there that the fake webmail portal login is then displayed. 

Darktrace Coverage 

As the malicious emails contained links to ‘safe’ Google Translate domains, most email security products would not characterize the links as suspicious. However, Darktrace/Email levies hundreds of metrics to identify whether emails belong in a recipient’s inbox. In this case Darktrace highlighted anomalies including rare subdomains, links containing unknown redirects, emails from spoofed freemail accounts and senders that had sent a relatively large number of emails within a short time frame. Furthermore, the attacker had never sent any previous emails to the organization prior to this email campaign. 

On top of providing visibility, the RESPOND function of Darktrace/Email took action autonomously and instantaneously without any human confirmation required. These actions included locking links and holding malicious emails. 

Figure 4- Darktrace/Email overview tab shows the Anomaly Indicators section as well as the History, Association, and Validation information of this sender.

Figure 5 - The Darktrace RESPOND/Email model tab displays all models that triggered on the email and the associated actions. The most severe delivery action supersedes the others, so here the email was held. 

Concluding Thoughts 

Threat actors are continuously updating the way they deliver malicious payloads within emails. While this particular email campaign utilized Google Translate domains to hide malicious links, subsequent attacks may well be seen leveraging other legitimate domains. Companies are only as strong as their weakest link; a single compromised internal email account can be used to send phishing emails to internal recipients, collect sensitive company information, inject malware onto the device, and more. Security tools must evolve to focus on anomalies within the email, rather than relying on rules or signatures of previously seen attacks. Furthermore, email tools must be able to autonomously respond as soon as the malicious emails enter the company’s environment. Only with these precautions will the risks associated with malicious emails be mitigated. 

Thanks to Steven Haworth and Steven Sosa for their contributions.

Appendices 

Relevant Darktrace Model Detections

·      Association / Anomalous Association

·      Association / New Sender

·      Association / Unknown Sender

·      Association / Unlikely Recipient Association

·      High Antigena Anomaly [part of the RESPOND functionality]

·      Link / Low Link Association

·      Link / Low Link Association and Unknown Sender

·      Link / New Correspondent Classified Link

·      Link / New Unknown Redirect

·      Link / Open Redirect

·      Link / Visually Prominent Link

·      Spam / Unsolicited Bulk Mail

·      Spoof / Spoofed Freemail

·      Unusual / New Sender Wide Distribution

·      Unusual / Sender Surge

Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Author
Rachel Resnekov
Cyber Analyst
Book a 1-1 meeting with one of our experts
Share this article

More in this series

No items found.

Blog

/

January 29, 2025

/

Inside the SOC

Bytesize Security: Insider Threats in Google Workspace

Default blog imageDefault blog image

What is an insider threat?

An insider threat is a cyber risk originating from within an organization. These threats can involve actions such as an employee inadvertently clicking on a malicious link (e.g., a phishing email) or an employee with malicious intent conducting data exfiltration for corporate sabotage.

Insiders often exploit their knowledge and access to legitimate corporate tools, presenting a continuous risk to organizations. Defenders must protect their digital estate against threats from both within and outside the organization.

For example, in the summer of 2024, Darktrace / IDENTITY successfully detected a user in a customer environment attempting to steal sensitive data from a trusted Google Workspace service. Despite the use of a legitimate and compliant corporate tool, Darktrace identified anomalies in the user’s behavior that indicated malicious intent.

Attack overview: Insider threat

In June 2024, Darktrace detected unusual activity involving the Software-as-a-Service (SaaS) account of a former employee from a customer organization. This individual, who had recently left the company, was observed downloading a significant amount of data in the form of a “.INDD” file (an Adobe InDesign document typically used to create page layouts [1]) from Google Drive.

While the use of Google Drive and other Google Workspace platforms was not unexpected for this employee, Darktrace identified that the user had logged in from an unfamiliar and suspicious IPv6 address before initiating the download. This anomaly triggered a model alert in Darktrace / IDENTITY, flagging the activity as potentially malicious.

A Model Alert in Darktrace / IDENTITY showing the unusual “.INDD” file being downloaded from Google Workspace.
Figure 1: A Model Alert in Darktrace / IDENTITY showing the unusual “.INDD” file being downloaded from Google Workspace.

Following this detection, the customer reached out to Darktrace’s Security Operations Center (SOC) team via the Security Operations Support service for assistance in triaging and investigating the incident further. Darktrace’s SOC team conducted an in-depth investigation, enabling the customer to identify the exact moment of the file download, as well as the contents of the stolen documents. The customer later confirmed that the downloaded files contained sensitive corporate data, including customer details and payment information, likely intended for reuse or sharing with a new employer.

In this particular instance, Darktrace’s Autonomous Response capability was not active, allowing the malicious insider to successfully exfiltrate the files. If Autonomous Response had been enabled, Darktrace would have immediately acted upon detecting the login from an unusual (in this case 100% rare) location by logging out and disabling the SaaS user. This would have provided the customer with the necessary time to review the activity and verify whether the user was authorized to access their SaaS environments.

Conclusion

Insider threats pose a significant challenge for traditional security tools as they involve internal users who are expected to access SaaS platforms. These insiders have preexisting knowledge of the environment, sensitive data, and how to make their activities appear normal, as seen in this case with the use of Google Workspace. This familiarity allows them to avoid having to use more easily detectable intrusion methods like phishing campaigns.

Darktrace’s anomaly detection capabilities, which focus on identifying unusual activity rather than relying on specific rules and signatures, enable it to effectively detect deviations from a user’s expected behavior. For instance, an unusual login from a new location, as in this example, can be flagged even if the subsequent malicious activity appears innocuous due to the use of a trusted application like Google Drive.

Credit to Vivek Rajan (Cyber Analyst) and Ryan Traill (Analyst Content Lead)

Appendices

Darktrace Model Detections

SaaS / Resource::Unusual Download Of Externally Shared Google Workspace File

References

[1]https://www.adobe.com/creativecloud/file-types/image/vector/indd-file.html

MITRE ATT&CK Mapping

Technqiue – Tactic – ID

Data from Cloud Storage Object – COLLECTION -T1530

Continue reading
About the author
Vivek Rajan
Cyber Analyst

Blog

/

January 28, 2025

/
No items found.

Reimagining Your SOC: How to Achieve Proactive Network Security

Default blog imageDefault blog image

Introduction: Challenges and solutions to SOC efficiency

For Security Operation Centers (SOCs), reliance on signature or rule-based tools – solutions that are always chasing the latest update to prevent only what is already known – creates an excess of false positives. SOC analysts are therefore overwhelmed by a high volume of context-lacking alerts, with human analysts able to address only about 10% due to time and resource constraints. This forces many teams to accept the risks of addressing only a fraction of the alerts while novel threats go completely missed.

74% of practitioners are already grappling with the impact of an AI-powered threat landscape, which amplifies challenges like tool sprawl, alert fatigue, and burnout. Thus, achieving a resilient network, where SOC teams can spend most of their time getting proactive and stopping threats before they occur, feels like an unrealistic goal as attacks are growing more frequent.

Despite advancements in security technology (advanced detection systems with AI, XDR tools, SIEM aggregators, etc...), practitioners are still facing the same issues of inefficiency in their SOC, stopping them from becoming proactive. How can they select security solutions that help them achieve a proactive state without dedicating more human hours and resources to managing and triaging alerts, tuning rules, investigating false positives, and creating reports?

To overcome these obstacles, organizations must leverage security technology that is able to augment and support their teams. This can happen in the following ways:

  1. Full visibility across the modern network expanding into hybrid environments
  2. Have tools that identifies and stops novel threats autonomously, without causing downtime
  3. Apply AI-led analysis to reduce time spent on manual triage and investigation

Your current solutions might be holding you back

Traditional cybersecurity point solutions are reliant on using global threat intelligence to pattern match, determine signatures, and consequently are chasing the latest update to prevent only what is known. This means that unknown threats will evade detection until a patient zero is identified. This legacy approach to threat detection means that at least one organization needs to be ‘patient zero’, or the first victim of a novel attack before it is formally identified.

Even the point solutions that claim to use AI to enhance threat detection rely on a combination of supervised machine learning, deep learning, and transformers to

train and inform their systems. This entails shipping your company’s data out to a large data lake housed somewhere in the cloud where it gets blended with attack data from thousands of other organizations. The resulting homogenized dataset gets used to train AI systems — yours and everyone else’s — to recognize patterns of attack based on previously encountered threats.

While using AI in this way reduces the workload of security teams who would traditionally input this data by hand, it emanates the same risk – namely, that AI systems trained on known threats cannot deal with the threats of tomorrow. Ultimately, it is the unknown threats that bring down an organization.

The promise and pitfalls of XDR in today's threat landscape

Enter Extended Detection and Response (XDR): a platform approach aimed at unifying threat detection across the digital environment. XDR was developed to address the limitations of traditional, fragmented tools by stitching together data across domains, providing SOC teams with a more cohesive, enterprise-wide view of threats. This unified approach allows for improved detection of suspicious activities that might otherwise be missed in siloed systems.

However, XDR solutions still face key challenges: they often depend heavily on human validation, which can aggravate the already alarmingly high alert fatigue security analysts experience, and they remain largely reactive, focusing on detecting and responding to threats rather than helping prevent them. Additionally, XDR frequently lacks full domain coverage, relying on EDR as a foundation and are insufficient in providing native NDR capabilities and visibility, leaving critical gaps that attackers can exploit. This is reflected in the current security market, with 57% of organizations reporting that they plan to integrate network security products into their current XDR toolset[1].

Why settling is risky and how to unlock SOC efficiency

The result of these shortcomings within the security solutions market is an acceptance of inevitable risk. From false positives driving the barrage of alerts, to the siloed tooling that requires manual integration, and the lack of multi-domain visibility requiring human intervention for business context, security teams have accepted that not all alerts can be triaged or investigated.

While prioritization and processes have improved, the SOC is operating under a model that is overrun with alerts that lack context, meaning that not all of them can be investigated because there is simply too much for humans to parse through. Thus, teams accept the risk of leaving many alerts uninvestigated, rather than finding a solution to eliminate that risk altogether.

Darktrace / NETWORK is designed for your Security Operations Center to eliminate alert triage with AI-led investigations , and rapidly detect and respond to known and unknown threats. This includes the ability to scale into other environments in your infrastructure including cloud, OT, and more.

Beyond global threat intelligence: Self-Learning AI enables novel threat detection & response

Darktrace does not rely on known malware signatures, external threat intelligence, historical attack data, nor does it rely on threat trained machine learning to identify threats.

Darktrace’s unique Self-learning AI deeply understands your business environment by analyzing trillions of real-time events that understands your normal ‘pattern of life’, unique to your business. By connecting isolated incidents across your business, including third party alerts and telemetry, Darktrace / NETWORK uses anomaly chains to identify deviations from normal activity.

The benefit to this is that when we are not predefining what we are looking for, we can spot new threats, allowing end users to identify both known threats and subtle, never-before-seen indicators of malicious activity that traditional solutions may miss if they are only looking at historical attack data.

AI-led investigations empower your SOC to prioritize what matters

Anomaly detection is often criticized for yielding high false positives, as it flags deviations from expected patterns that may not necessarily indicate a real threat or issues. However, Darktrace applies an investigation engine to automate alert triage and address alert fatigue.

Darktrace’s Cyber AI Analyst revolutionizes security operations by conducting continuous, full investigations across Darktrace and third-party alerts, transforming the alert triage process. Instead of addressing only a fraction of the thousands of daily alerts, Cyber AI Analyst automatically investigates every relevant alert, freeing up your team to focus on high-priority incidents and close security gaps.

Powered by advanced machine-learning techniques, including unsupervised learning, models trained by expert analysts, and tailored security language models, Cyber AI Analyst emulates human investigation skills, testing hypotheses, analyzing data, and drawing conclusions. According to Darktrace Internal Research, Cyber AI Analyst typically provides a SOC with up to  50,000 additional hours of Level 2 analysis and written reporting annually, enriching security operations by producing high level incident alerts with full details so that human analysts can focus on Level 3 tasks.

Containing threats with Autonomous Response

Simply quarantining a device is rarely the best course of action - organizations need to be able to maintain normal operations in the face of threats and choose the right course of action. Different organizations also require tailored response functions because they have different standards and protocols across a variety of unique devices. Ultimately, a ‘one size fits all’ approach to automated response actions puts organizations at risk of disrupting business operations.

Darktrace’s Autonomous Response tailors its actions to contain abnormal behavior across users and digital assets by understanding what is normal and stopping only what is not. Unlike blanket quarantines, it delivers a bespoke approach, blocking malicious activities that deviate from regular patterns while ensuring legitimate business operations remain uninterrupted.

Darktrace offers fully customizable response actions, seamlessly integrating with your workflows through hundreds of native integrations and an open API. It eliminates the need for costly development, natively disarming threats in seconds while extending capabilities with third-party tools like firewalls, EDR, SOAR, and ITSM solutions.

Unlocking a proactive state of security

Securing the network isn’t just about responding to incidents — it’s about being proactive, adaptive, and prepared for the unexpected. The NIST Cybersecurity Framework (CSF 2.0) emphasizes this by highlighting the need for focused risk management, continuous incident response (IR) refinement, and seamless integration of these processes with your detection and response capabilities.

Despite advancements in security technology, achieving a proactive posture is still a challenge to overcome because SOC teams face inefficiencies from reliance on pattern-matching tools, which generate excessive false positives and leave many alerts unaddressed, while novel threats go undetected. If SOC teams are spending all their time investigating alerts then there is no time spent getting ahead of attacks.

Achieving proactive network resilience — a state where organizations can confidently address challenges at every stage of their security posture — requires strategically aligned solutions that work seamlessly together across the attack lifecycle.

References

1.       Market Guide for Extended Detection and Response, Gartner, 17thAugust 2023 - ID G00761828

Continue reading
About the author
Your data. Our AI.
Elevate your network security with Darktrace AI