This blog post is AI-Assisted Content: Written by humans with a helping hand.

Author’s note: This is an AI-generated summary of a webinar InterWorks hosted on April 23, 2025. The main presenter was Jamie Pierce, Solutions Engineer & Darktrace/EMAIL Specialist. If you want to watch the whole webinar we summarized for this piece, feel free to watch it here!

Email security has reached a critical inflection point. Traditional defenses built around signatures and rules are struggling against a new generation of threats powered by artificial intelligence. As attackers leverage tools like ChatGPT to craft increasingly sophisticated phishing campaigns, security teams need solutions that can adapt and learn at machine speed.

The numbers tell the story: AI-powered attacks have surged by 135 percent, while over 40 percent of all breaches still begin with a phishing email. Despite decades of security evolution, the inbox remains the primary attack vector because humans remain susceptible to deception.

Beyond Traditional Detection Methods

Most email security solutions rely heavily on payload detection and signature-based approaches. These methods work well against known threats but struggle with novel attacks that bypass traditional indicators. Modern threat actors often start their campaigns with completely “clean” emails containing no malicious links or attachments, instead initiating seemingly innocent conversations that gradually build trust before deploying their attacks.

Darktrace/EMAIL takes a fundamentally different approach. Rather than looking for known bad indicators, the platform learns what normal looks like for each organization and individual user. This self-learning AI creates behavioral profiles for every user account and mailbox, understanding typical communication patterns, frequent correspondents, and standard email topics.

The Power of Behavioral Analysis

The platform’s approach centers on anomaly detection rather than signature matching. When an email arrives, Darktrace analyzes it within the complete context of the organization’s communication patterns. Every message receives an anomaly score from zero to 100 percent, where zero represents completely normal communication and 100 percent indicates something highly suspicious.

This contextual analysis allows Darktrace to catch sophisticated business email compromise attempts that might slip past traditional defenses. For example, the system recently detected a 99 percent anomalous email from a known correspondent at a healthcare organization. While the sender was legitimate and frequently exchanged emails with internal users, this particular message contained unusual SharePoint links and macro-enabled attachments that deviated significantly from their typical communication patterns. The system correctly identified this as a likely account compromise.

Holistic Email Protection

Darktrace/EMAIL extends protection beyond just inbound threats. The platform monitors Microsoft 365 and Google Workspace environments to detect compromised internal accounts, suspicious Teams messages and potential data loss scenarios. This comprehensive coverage addresses the full spectrum of email-based risks.

The system’s data loss protection capabilities focus on anomaly-based detection rather than pre-classified content types. By understanding normal data flow patterns, Darktrace can identify instances where users might accidentally send sensitive information to wrong recipients or external parties they have never communicated with before. The platform can even present real-time warnings to users through Outlook add-ins, helping prevent misdirected emails before they are sent.

Real-World Threat Detection

The platform’s effectiveness shows in its ability to catch novel attack methods. Recent examples include detecting makeshift QR codes created entirely from text characters rather than traditional image attachments. By analyzing the unusual concentration of square characters in email body text, combined with other anomalies, Darktrace identified this creative phishing attempt before other security solutions recognized the threat.

Another example involved detecting a lateral phishing campaign where a compromised internal account sent identical suspicious emails to 10 users within one hour. The system correlated the account’s suspicious login activity with the unusual internal email distribution pattern, correctly identifying the compromise and blocking the malicious links.

Autonomous Response and User Interaction

When threats are detected, Darktrace can take autonomous action without requiring administrator intervention. Response options range from completely holding suspicious emails from inboxes to more nuanced approaches like rewriting links for time-of-click analysis or converting attachments to safe PDF formats.

The platform includes user-friendly features that enhance security awareness. The analysis add-in allows end users to query Darktrace directly from Outlook, receiving explanations of why emails might be suspicious and guidance on appropriate actions. User feedback through reporting suspicious emails or marking items as safe feeds back into the learning system, continuously improving accuracy.

Advanced AI Architecture

Under the hood, Darktrace employs both supervised and unsupervised machine learning techniques. The system creates unique “patterns of life” for every user and external correspondent, understanding not just who they communicate with but how they typically communicate. This includes factors like usual login locations, typical file types shared and standard communication topics.

The platform’s user clustering capabilities allow it to understand group behaviors within organizations. When new employees join specific teams, they can be quickly classified based on existing group patterns rather than starting from zero baseline knowledge. This approach significantly reduces false positives while maintaining high detection rates for genuine anomalies.

Integration and Deployment

Darktrace/EMAIL deploys through APIs and optional journaling rules, sitting parallel to existing email infrastructure rather than inline. This architecture allows the platform to analyze everything getting past existing defenses without introducing latency or single points of failure. The system works alongside current secure email gateways or as the primary security layer, depending on organizational preferences.

Deployment typically requires minimal time investment. Most organizations can complete setup through API connections in 10-15 minutes, with the system passively learning patterns for 7-10 days before providing full protection capabilities. This rapid deployment model makes proof-of-concept evaluations straightforward and low-impact.

Continuous Learning and Adaptation

Unlike static security rules that require constant updates, Darktrace continuously learns and adapts to changing organizational patterns. As users’ roles evolve, communication patterns shift, or new team members join, the system automatically updates its behavioral models. This dynamic learning approach helps address one of email security’s persistent challenges: Keeping pace with legitimate business changes while maintaining protection against emerging threats.

The platform’s global intelligence capabilities allow it to benefit from insights across Darktrace’s entire customer base without compromising individual organization privacy. This collective learning helps identify emerging threat patterns and attack techniques as they develop across the threat landscape.

Beyond Email: Unified Security Architecture

While email remains the primary focus, Darktrace’s self-learning AI approach extends across the entire digital estate. Organizations can apply the same behavioral analysis techniques to network traffic, cloud environments, identity systems and operational technology. This unified approach allows for correlation of threats across different attack vectors, providing more comprehensive protection than isolated point solutions.

For instance, if the network security component detects a user regularly connecting to specific domains, the email system can factor this into trust decisions for emails from those same domains. This cross-platform intelligence sharing creates a more nuanced and accurate security posture.

The Future of Email Security

The email threat landscape will continue evolving as attackers leverage increasingly sophisticated AI tools. Traditional signature-based defenses will become less effective against personalized, AI-generated attacks designed to bypass conventional detection methods. Success requires security solutions that can learn, adapt and respond at machine speed while maintaining the context and nuance needed to distinguish between legitimate business communication and sophisticated impersonation attempts.

Darktrace/EMAIL represents this evolution toward behavioral, AI-driven email security. By focusing on understanding normal rather than cataloging abnormal, the platform can detect novel threats without requiring prior knowledge of specific attack techniques. This approach provides organizations with protection against both current threats and future attack methods that have not yet been developed.

For IT teams dealing with increasingly sophisticated email threats, resource constraints, and the challenge of protecting users without impeding productivity, behavioral AI offers a path toward more effective, autonomous email security that scales with organizational needs and adapts to emerging threats.