PRODUCT GUIDE

DARKTRACE/EMAIL FOR
ONPREMISES EXCHANGE

Introduction
Darktrace/Email for Exchange (Onpremises) represents a powerful expansion of Darktrace DETECT and RESPOND
autonomous, responsive capabilities into an area of operations traditionally difficult to manage and maintain. A ground-level
departure from the legacy approach to securing the network against malicious emails, Darktrace/Email’s contextualized actions
rest entirely in wider patterns of activity identified across the business by Darktrace’s powerful Cyber AI. It provides both visibility
and unparalleled, intelligent response.

• Seamlessly integrates your existing Darktrace DETECT and RESPOND coverage with your email flow.

• Able to respond at any moment in the full attack life cycle to prevent delivery or to react to network events.

• Adjusts thresholds according to individual user behavior and reports on your most susceptible users.

• Prevent unknown malware

• Anti-spoofing detection

• Detects trusted account hijacking

• URL rewriting and Attachment neutralization

• Advanced detection of phishing attacks.

• Combined network and email security AI for complete coverage.

When the need arises to investigate a threat, to create models, and/or to gain better insight into the email hygiene of your
organization, the dedicated Darktrace/Email interface provides a range of options for real-time threat investigation. Suspect
emails are held for further inspection or authorization for release, user behavior and notable incidents are mapped, and detailed,
comprehensive email logs can be filtered by a vast range of metrics including user, domain, attachments and model interaction.

How It Works

Darktrace/Email works directly with an organization’s Exchange

Servers, utilizing the Journaling functionality to pass mailflow to the
Darktrace/Email for inspection and analysis. In on-premises
mailflow environments, a Darktrace/Email appliance is placed
locally within the network to analyze and receive email at the
source.

On initial configuration, Darktrace/Email will retrospectively process

Active Directory and Exchange metadata to gain an intimate
knowledge of users, email addresses, correspondents and routine
operations. This operation is performed within the Darktrace/Email
appliance and will not affect email activity.
 In the early stages of deployment Darktrace/Email is run in passive mode, where any actions Darktrace/Email would take for
each email are displayed but not performed. During the initial trial period, a customer may choose to enable live autonomous
actions on a per-user basis or for specific groups.

Considerations
The Darktrace/Email appliance should be situated within the same logical network area as the Exchange server to minimize
latency in the journaled mailflow. Connectivity between the Darktrace appliance and the Darktrace/Email appliance must also
be consistent.

Darktrace/Email works with Journaling rules to achieve full visibility; using Journal requires an email address to send
undeliverable mail reports to. We strongly recommend a dedicated mailbox for this purpose, as Darktrace/Email cannot monitor
or action emails to the mailbox used for undeliverable mail reports.

Darktrace/Email currently supports Exchange environments running Exchange Server 2013 SP1, or Exchange Server 2016 / 2019
with NTLM(v2) configured.

Permissions
During the setup process, you will be required to login to your organizational Exchange Server with a Domain Administrator
account to create the Connector and Journal rule. An Active Directory user must also be created which Darktrace/Email will
utilize API access.

Easy Deployment Process

The deployment of Darktrace/Email is simple:

1. Ensure that an LDAP server is configured in the Darktrace Threat Visualizer before proceeding.

2. In your Firewall, allow the Darktrace/Email Appliance to contact the specified IPs over 22/SSH.

3. Create an Active Directory user for Darktrace/Email and provide the impersonation role.

4. Configure the Darktrace/Email appliance with NTP, SMTP, DNS and HTTPS in a location where it can access
the Darktrace Master and your Exchange server.

5. Provide the Darktrace/Email appliance with your Exchange Server IP and the credentials of the user to
impersonate.

6. Create a mailflow connector in your Exchange Server environment.

7. Create a Journaling rule in your Exchange Server environment.

8. Configure notifications between your Exchange Server and the Darktrace/Email appliance.

9. Darktrace/Email will then begin baselining all observed email traffic to establish an understanding of your
organization’s pattern of life.

The power of Darktrace/Email lies in leveraging this unique understanding of day-to-day user email behavior in relation to their
past, to their peer group, and to the wider organization. Armed with the knowledge of what is ‘normal’ for a specific organization
and specific individual, rather than what fits a predefined template of malicious communications, Darktrace/Email can identify
subtle, sophisticated email campaigns which mimic benign communications and locate threats concealed as everyday activity.

US:+1 415 229 9100 UK:+44 (0) 1223 394 100 LATAM:+55 11 4949 7696 APAC:+65 6804 5010 info@darktrace.com darktrace.com
LAST UPDATED: OCTOBER 24 2022