Darktrace has announced a major update to Darktrace / EMAIL™, its AI-powered email security platform, aiming to go beyond traditional spam filtering and tackle attacks that are no longer confined to the inbox, but jump across email, identities, SaaS, and collaboration tools.
The UK-based company, headquartered in Cambridge, states that these advancements are designed to counter increasingly subtle social engineering campaigns, protect brand reputation in the email channel, and reduce security teams’ workload in environments with multiple tools.
17% of threats the SEG can’t see… but AI can
According to internal Darktrace data, even organizations using secure email gateways (SEG) and other traditional layers, 17% of malicious emails bypass all these filters and reach the user. It is precisely in this gap that the company’s AI-based approach is positioned.
Instead of relying on signatures, blacklists, or simple malware indicators, Darktrace / EMAIL™ uses self-learning AI that models how the organization and each user typically communicate: who talks to whom, at what times, with what tone, what types of attachments are common, etc.
With this context, the platform can detect routine-looking emails (for example, account change requests, payment instructions, or impersonations of vendors) that introduce slight variations in the sender, language, or sending time. These subtle social engineering attacks without obvious payloads are often the ones that evade traditional solutions.
Email bombing and cross-channel attacks: from inbox to Teams and phone
Another rising trend highlighted by Darktrace is email bombing: campaigns that flood inboxes with thousands of benign messages to create noise, distract, and open the door to attacks via other channels. Between April and July 2025, the company recorded a 100-fold increase in such emails, jumping from 200,000 to over 20 million messages observed in its client base.
The pattern is usually the same: after flooding the inbox, the attacker contacts via Teams, phone, or other channels, impersonating IT support or a vendor offering help, thereby gaining access or sensitive information.
To counter these multi-domain campaigns, Darktrace has introduced tighter integration between Darktrace / EMAIL™ and Darktrace / IDENTITY™. If the system detects suspicious activity — such as a bombardment of emails — it automatically raises sensitivity on the affected account and enhances monitoring of access attempts or anomalous identity activities linked to that user.
The same logic extends to business apps like Salesforce, where Darktrace can evaluate and act on tickets created from potentially malicious emails, enabling a more coordinated response across email, identities, and SaaS.
Additionally, the company now combines behavioral analysis with traditional threat intelligence (antivirus verdicts, structured feeds), enriching alerts with more context to accelerate SOC decision-making.
Protecting “outbound trust”: BIMI, DMARC, and tagless DLP
The threat doesn’t always come in: many breaches occur when the problem extends outside the organization. Darktrace cites the surge in phishing attacks exploiting Black Friday, with a 1,317% increase in attacks related to this campaign in November.
In this context, the company has strengthened outbound email and brand identity protection:
- Full BIMI support in Darktrace / EMAIL – DMARC
Organizations can display their verified logo in the recipient’s inbox, making legitimate communications more recognizable. At the same time, the platform can detect and flag incoming emails attempting to impersonate that brand, combining authentication (DMARC/BIMI) with behavioral signals. - Behavioral DLP without labels
Darktrace recognizes that human error remains a key factor in many internal leaks, with data indicating that 72% of internal incident actions relate to misdirected or poorly managed information.
To reduce this risk, the company claims to have created the first “label-free” DLP for email: a domain-specific language model that automatically identifies over 35 categories of personal and health data (PII and PHI) in emails and attachments (personal, financial, health data, etc.).
Instead of depending on static policies or manual labels, the system learns how each user manages sensitive information and intervenes when deviations occur, such as an unusual recipient or incoherent context for specific data.
The goal is twofold: to ensure who seems to send the email (brand protection) and what is actually being sent (data protection), reinforcing trust in outbound communications.
Integrations for SOC: less friction, more context
Aware that security teams manage a complex ecosystem of tools, Darktrace has added integrations designed to reduce friction:
- Direct connection with Jira and ServiceNow
User incidents or reports can automatically become tickets in these platforms, respecting the organization’s workflow and facilitating traceability and resolution. - Sandbox analysis from the console itself
Analysts can send attachments or URLs to a sandbox environment directly from Darktrace’s interface, observe their behavior, and quickly validate if it’s a threat.
These new features complement existing integrations such as the connection with Microsoft Defender for Office 365 (unified quarantine management) and the Email Analysis Agent for Microsoft Security Copilot, which allows querying Darktrace / EMAIL context in natural language within investigations in Copilot.
Market recognition and “AI-native” strategy
Darktrace emphasizes that its “AI-native” approach has been validated by the market: Darktrace / EMAIL™ was recognized as a Leader in Gartner’s 2025 Magic Quadrant for Email Security Platforms and named a Customers’ Choice on Gartner Peer Insights within this category, with thousands of customers using the solution as a primary or supplementary layer in their email protection strategy.
With these new capabilities, the company aims to position Darktrace / EMAIL™ not just as another email filter but as a central piece in multi-domain detection and response, capable of unifying signals from email, identities, and SaaS to stop modern attacks before they jump channels… and before trust — in the brand and inbox — is lost.
via: darktrace