Unusual but benign: How Antigena Email deals with unthreatening emails from a new contact
Antigena Email uniquely understands employees’ patterns of life, including how they behave and communicate, in order to identify anomalous behavior that it deems threatening and neutralize malicious emails in real time. This self-learning approach has enabled the technology to stop advanced attacks that other tools missed, including a Siemens impersonation attack, a QuickBooks scam, and a fraudulent Chase fraud alert.
But how does an AI-powered approach handle the case of the ‘unusual but benign’: an email from a new contact which is highly unusual, but non-threatening?
This blog follows an employee at a marketing agency that had deployed Darktrace across its entire digital estate. The employee, Roberta, had recently organized a virtual event, and was looking to send a thank you gift to the speakers who participated. She found Patch, a leading online supplier of plants perfect for the ‘clueless urban gardener’ that Roberta felt would be a good choice.
Figure 1: The webpage of Patch, a new supplier to the organization
After visiting the website and choosing the perfect gift, Roberta signed up for the Patch newsletter with her corporate email; this was a business expense after all.
A common source of frustration often arises when a team or an employee is trying to do new things, but are stopped by security policies that pre-define what they are allowed to do or who they can contact. Some email security vendors take the approach that only known correspondents or pre-approved domains can send emails to employees’ corporate emails. This principle, while effective at keeping out many spam and spoofing emails, will also block unusual but legitimate, and potentially important, emails from making their way into the inbox, leading to frustration.
Planting the seed
Thankfully for Roberta, Darktrace’s AI contextualizes email anomalies with an understanding of the user that looks beyond the inbox and draws insights from across employees’ digital footprint. A holistic understanding of both email and network traffic enabled the AI to recognize that Roberta had visited the Patchplants.com website and signed up for the newsletter. This prior event contextualized the subsequent email and allowed Darktrace to recognize that despite being anomalous and new, this email was legitimate and no action was necessary.
Figure 2: Darktrace’s Email Dashboard surfaces a high rarity score of 99
No other employee at the company had ever received mail from this domain, with Antigena Email giving the email a rarity score of 99. However, the brief interaction with the website helped the AI decide that even though this was a highly unusual domain, it was not a threat, and the email was promptly delivered.
Figure 3: The newsletter welcome email
The good, the bad and the ugly
This example demonstrates the importance of a security stack that can discern when unusual activity or an anomalous email is acceptable, and the value of user context and insights gathered across the digital ecosystem. New business often relies on new interactions that are difficult to write into security and policy rules, and so understanding the ‘unusual but benign’ is key so that businesses, like plants, can grow and thrive.
Darktrace’s AI can make these critical determinations based on its evolving understanding of the user and the business as a whole, stopping malicious emails and only the malicious emails.