A new era of reputation-aware, unified email security

Darktrace / EMAIL is redefining email defense with new innovations that close email security silos and empower SOC teams to stop multi-stage attacks – without disrupting business operations.  

By extending visibility across interconnected domains, Darktrace catches the 17% of threats that leading SEGs miss, including multi-stage attacks like email bombing and cloud platform abuse. Its label-free behavioral DLP protects sensitive data without reliance on manual rules or classification, while DMARC strengthens brand trust and authenticity. With native integrations for Microsoft Defender and Security Copilot, SOC teams can now investigate and respond faster, reducing risk and maintaining operational continuity across the enterprise.

Summary of what’s new:

• Cross-domain AI-native detection unifying email, identity, and SaaS
• Label-free behavioral DLP for effortless data protection
• Microsoft Defender and Security Copilot integrations for streamlined investigation and response

Why email security must evolve

Today’s attacks don’t stop at the inbox. They move across domains – email to identity, SaaS, and network – exploiting the blind spots between disconnected tools. Yet most email security solutions still operate in isolation, unable to see or respond beyond the message itself.

In 2024, Darktrace detected over 30 million phishing attempts: 38% targeting high-value individuals and almost a third using novel social engineering, including AI-generated text. Generative AI is amplifying the realism and scale of social engineering, while customers face a wave of new techniques like email bombing, where attackers flood inboxes to distract or manipulate users, and polymorphic malware, which continuously evolves to evade static defenses.

Meanwhile, defenders are exposed to traditional DLP tools that create operational drag with high false positives and rigid policies. Accidental insider breachers remain a major risk to organizations: 6% of all data breaches are caused by misdelivery, and 95% of those incidents involve personal data.

Tool sprawl compounds the issue. The average enterprise manages around 75 security products, and 69% report operational strain as a result. This complexity is counterproductive – and with legacy SEGs failing to adapt to detect threats that exploit human behavior, analysts are left juggling an unwieldy patchwork of fragmented defenses.

The bottom line? Siloed email defenses can’t keep pace with today’s AI-driven, cross domain attacks.

Beyond detection: AI built for modern threats

Darktrace / EMAIL is uniquely designed to catch the threats SEGs miss, powered by Self-Learning AI. It learns the communication patterns of every user – correlating behavioral signals from email, identity, and SaaS – to identify the subtle, context-driven deviations that define advanced social engineering and supply chain attacks.

Unlike tools that rely on static rules or historical attack data, Darktrace’s AI assumes a zero trust posture, treating every interaction as a potential risk. It detects novel threats in real time, including those that exploit trusted relationships or mimic legitimate business processes. And because Darktrace’s technology is natively unified, it delivers precise, coordinated responses that neutralize threats in real time.

Powerful innovations to Darktrace / EMAIL

Improved, multi-domain threat detection and response

With this update, Darktrace reveals multi-domain detection linking behavioral signals across email, identity, and SaaS to uncover advanced attacks. Darktrace leverages its existing agentic platform to understand behavioral deviations in any communication channel and take precise actions regardless of the domain.  

This innovation enables customers to:

• Correlate behavioral signals across domains to expose cross-channel threats and enable coordinated response
• Link email and identity intelligence to neutralize multi-stage attacks, including advanced email bombing campaigns

Detection accuracy is further strengthened through layering with traditional threat intelligence:

• Integrated antivirus verdicts improve detection efficacy by adding traditional file scanning
• Structured threat intelligence (STIX/TAXII) enriches alerts with global context for faster triage and prioritization

Expanded ecosystem visibility also includes:

• Salesforce integration, enabling automatic action on potentially malicious tickets auto-created from emails – accelerating threat response and reducing manual burden

Advancements in label-free DLP

Darktrace is delivering the industry’s first label-free data loss prevention (DLP) solution powered by a proprietary domain specific language model (DSLM).  

This update expands DLP to protect against both secrets and personally identifiable information (PII), safeguarding sensitive data without relying on status rules or manual classification. The DSLM is tuned for email/DLP semantics so it understands entities, PII patterns, and message context quickly enough to enforce at send time.

Key enhancements include:

• Behaviorally enhanced PII detection that automatically defines over 35+ new categories, including personal, financial, and health data  
• Added detail to DLP alerts in the UI, showing exactly how and when DLP policies were applied
• Enhanced Cyber AI Analyst narratives to explain detection logic, making it easier to investigate and escalate incidents

And for further confidence in outbound mail, discover new updates to DMARC, with support for BIMI logo verification, automatic detection of both MTA-STS and TLS records, and data exports for deeper analysis and reporting. Accessible for all organizations, available now on the Azure marketplace.

Streamlined SOC workflows, with Microsoft-native integrations

This update introduces new integrations that simplify SOC operations, unify visibility, and accelerate response. By embedding directly into the Microsoft ecosystem – with Defender and Security Copilot – analysts gain instant access to correlated insights without switching consoles.

New innovations include:

• Unified quarantine management with Microsoft Defender, centralizing containment within the native Microsoft interface and eliminating console hopping
• Ability to surface threat insights directly in Copilot via the Darktrace Email Analysis Agent, eliminating data hunting and simplifying investigations
• Automatic ticket creation in JIRA when users report suspicious messages
• Sandbox analysis integration, enabling payload inspection in isolated environments directly from the Darktrace UI

Committed to innovation

These updates are part of the broader Darktrace release, which also included:

1. Major innovations in cloud security with the launch of the industry’s first fully automated cloud forensics solution, reinforcing Darktrace’s leadership in AI-native security.
2. Redefining NDR with industry-first autonomous threat investigation from network to endpoint  
3. Innovations to our suite of Exposure Management & Attack Surface Management tools

As attackers exploit gaps between tools, the Darktrace ActiveAI Security Platform delivers unified detection, automated investigation, and autonomous response across cloud, endpoint, email, network, and OT. With full-stack visibility and AI-native workflows, Darktrace empowers security teams to detect, understand, and stop novel threats before they escalate.

Join our Live Launch Event

When? December 9, 2025

What will be covered? Join our live broadcast to experience how Darktrace is eliminating blind spots for detection and response across your complete enterprise with new innovations in Agentic AI across our ActiveAI Security platform. Industry leaders from IDC will join Darktrace customers to discuss challenges in cross-domain security, with a live walkthrough reshaping the future of Network Detection & Response, Endpoint Detection & Response, Email Security, and SecOps in novel threat detection and autonomous investigations.

17%: The figure that changes your risk math

Most organizations deploy a Secure Email Gateway (SEG) assuming it will catch whatever their native email security provider would not be able to. But the data tells a different story. Nearly one in six of the riskiest inbound emails still evade the native + SEG layers on the first pass – 17% is the average SEG miss rate after Microsoft filtering.  

How did we calculate the miss rate? The figure comes from a volume-weighted analysis of real-world enterprise deployments where Darktrace operated alongside a SEG, compared to deployments without a SEG. It’s based on how each security layer treated malicious emails on the first instance – if the SEG missed the email at the initial filtering but caught it minutes or hours later we considered it a miss, because the threat had already been exposed to the user. We computed the mean per category miss count across the top three widely deployed SEGs and divided that by the total number of threats that had already bypassed native filters. The resulting rate is 17.8%, conservatively communicated as “about 17%.”

This result is a powerful directional signal – not a guarantee for every environment – but significant enough to merit a closer look.

What SEGs miss most (and why it matters)

Our analysis shows that SEGs most frequently miss context-driven, low-signal attacks.

These are the kinds of emails that look convincing to recipients and rely on business context, without overtly malicious indicators, including:

Solicitation and fraudulent requests (~21% miss rate)

Deceptive invoices, vendor “updates,” payment term changes, or urgent favors. These messages often lack obvious payloads and exploit business process mimicry, making them nearly indistinguishable from genuine correspondence in the eyes of static, rule-based filters dependent on payload analysis. 22% of breaches stemming from external actors were a result of social engineering in 2025 (Verizon 2025 Data Breach Investigations Report).

Phishing links (~20% miss rate)

Links to credential harvesters or later-weaponized sites using new or compromised domains, redirects, or shorteners. URL rotation and staging evade list-based controls; the linguistic and workflow context looks routine. This also includes threats that leverage legitimate cloud platforms to disguise their intent and avoid reputation analysis.  Phishing remains one of the most expensive cause of breaches, an average cost of $4.8 million (IBM Cost of a Data Breach Report 2025).

User impersonation (~19% miss rate)

Convincing messages that mimic executives, colleagues, or partners, often with subtle display-name or address manipulation. These attacks rely on social engineering and context, bypassing static detection and reputation checks.

Other notable misses: Credential harvesting lures and forged/abused sender addresses, both typically light on static indicators but heavy on contextual clues. 

Why SEGs miss these emails

Let’s look at some of the reasons SEGs fail to catch more advanced, context-driven attacks.

1. Attack-centric bias. SEGs excel at recognizing known-bad indicators (spam, commodity malware). But today’s high-impact threats are supercharged by AI and can be hyper-customized with polymorphic malware or personalized social engineering. They mirror normal business communications and weaponize trust, not binary patterns.  
2. Limited behavioral understanding. Without modeling each user’s “normal” pattern of life, subtle anomalies (timing, tone, counterpart, transaction patterns) can look benign, even if they should be flagged. Some modern solutions have begun to incorporate behavioral analysis into their products, but these are still supplements for additional information rather than integrated into the core threat detection engine.
3. Assumed trust. Account compromise and attacks that abuse legitimate services exploit trust. SEGs weren’t designed to handle these kinds of threats, in fact, they assume trust in order to minimize false positives, leaving them wide open to attackers.  
4. Siloed detection. Email rarely tells the whole story. Attacks pivot across email, identity, and SaaS; single-channel tools can’t connect those dots in real time. This issue is exacerbated when email security vendors are only focused on email activity, ignoring activity beyond the inbox like network or cloud account activity.
5. Adaptive evasion. Fast domain churn, benign-looking links, and clean hosting on trusted platforms routinely outpace static rules and blocklists. No matter how great your threat intelligence or threat research teams may be, there is a reliance on a first victim – which leads to defenders remaining one step behind attackers. 

How Darktrace / EMAIL catches the threats SEGs miss

Everywhere a SEG falters, Darktrace excels. Let’s take a look why.

• Self-Learning AI: Darktrace learns the unique communication patterns of every user, department, and supplier, flagging the subtle deviations that typify social engineering and impersonation. 
• A zero trust approach: According to Gartner, many organizations fail to extend their zero-trust strategy to email, leaving a critical gap. Darktrace assumes no trust, applying the zero trust principle across all aspects of email communication.
• Cross-domain context: Correlates behavior across email, identity, and SaaS, exposing multi-stage campaigns that a siloed SEG can’t piece together. 
• Better together with native providers: Operates alongside your native email security – not against it – so protection is additive. Darktrace ingests native signals and orchestrate unified quarantine without duplicating policy stacks or forcing you to disable built-in protections. 

For example: one of our customers, a global enterprise saw a surge of “document-share” notifications from a trusted collaboration platform. The domain and authentication looked fine; their SEG allowed it. Darktrace / EMAIL flagged it because the supplier’s sharing behavior and permission scope deviated from normal (volume, recipients, and access level). Follow-up confirmed the supplier account was compromised. Behavioral context – not rules or signatures – made the difference. 

Three steps to building a modern email security stack

Let’s end with three strategic takeaways for ensuring your email security is fit-for-purpose.

1. Defense-in-depth = diversity, not duplication

Why it matters: Two security layers with the same detection philosophy (e.g. SEG + native email security) create overlapping blind spots. Both native email security providers and SEGs are attack-centric solutions that rely on past threats and threat intelligence. True defense-in-depth ensures you are asking different questions of every email that comes through.

How to apply: Pair your native email security with behavioral AI that learns how your business communicates. Eliminate redundant layers that only add cost and latency. 

2. Coordinate the layers you keep

Why it matters:  Layers that don’t talk create delays and hand-offs; SEGs often become sole decision-makers by forcing native protections off. 

How to apply:  Favor an ICES approach that ingests native signals and can orchestrate unified quarantine, so detections become actions in one motion. 

3. Quantify your security gap with a POV

Why it matters:  Every environment is different. You need evidence before making changes to your stack.

How to apply:  Run Darktrace / EMAIL in observe mode next to your current stack to surface exactly what’s still getting through. Use those results to plan your transition and measure improvement. 

‍

Ready to claim 17% more protection? Request a demo with Darktrace / EMAIL to quantify what your SEG is missing, then decide how much of that residual risk you’re willing to accept. We’ll help you plan a clean, staged transition that preserves native protections and streamlines operations.  In the meantime, calculate your potential ROI using Darktrace / EMAIL with our handy calculator.

[related-resource]