See why 9,000+ companies trust Darktrace
Thanks, your request has been received
A member of our team will be in touch with you shortly.
Oops! Something went wrong while submitting the form.

What is Integrated Cloud Email Security (ICES)?

What Is Integrated Cloud Email Security?

Integrated cloud email security is a type of email security solution that supplements cloud-based email service, such as Microsoft Office 365, Google Workspace, or Amazon WorkMail. An ICES solution will provide advanced email protection against a wide range of threats, including spam, phishing, malware, and ransomware.

How does ICES work?

Integrated Cloud Email Security (ICES) is a cloud-based approach to email security that enhances and complements traditional Secure Email Gateways (SEGs). ICES solutions provide advanced threat protection, including the detection and remediation of sophisticated threats that traditional SEGs might miss. Here’s an overview of how ICES works and its key components:

Cloud-Based Architecture

Scalability: Leveraging the cloud allows ICES to scale seamlessly with an organization’s email traffic.

Accessibility: Being cloud-based, ICES can be easily integrated with cloud email services like Office 365 and G Suite.


When an email is sent to a user's email address, it is routed through the ICES system, which scans the email for spam, viruses, and other email-based threats using a combination of signature-based and behavior-based threat detection techniques. This includes analyzing the email's content, attachments, and sender reputation to determine if it contains malicious content to identify known and unknown threats.


Some ICES systems like Darktrace, can block the email from ever reaching the recipient’s inbox or flag the email, alerting the security team to take further analysis.

Similarly, ICES systems can take remediation actions, such as removing malicious content from an email or blocking the sender's email address to prevent future emails from reaching the recipient's inbox.


ICES is updated in real-time to detect and protect against emerging threats, such as new strains of malware or phishing attacks. Using machine learning and AI, ICES is able to update automatically and in real-time to respond to new threats and vulnerabilities. This means that businesses do not need to manually update the system or worry about falling behind on the latest threat protection.

The benefits of ICES email security

ICES does not take the place of existing email security measures. Instead, it augments these systems, increasing the effectiveness of email security. ICES has several benefits including:

  1. Advanced Threat Detection
    • Machine Learning and AI: ICES uses machine learning algorithms and artificial intelligence to identify and block advanced threats. These algorithms continuously learn and adapt to new attack patterns.
    • Behavioral Analysis: This involves monitoring the behavior of email content and attachments to identify malicious intent. It can detect anomalies that deviate from normal behavior.
    • Heuristic Analysis: Analyzing email content and attachments for suspicious patterns and characteristics indicative of threats.
  2. Sandboxing
    • Dynamic Analysis: Suspicious attachments and links are executed in a virtual environment to observe their behavior. If malicious activity is detected, the email is quarantined or blocked.
    • Isolation: By isolating potential threats, sandboxing prevents malware from reaching the end user’s environment.
  3. Content Disarm and Reconstruction (CDR)
    • Sanitization: ICES removes potential threats by stripping active content (such as macros in documents) and delivering a sanitized, safe version of the attachment to the user.
    • Reconstruction: After disarming the content, the email is reconstructed to retain its original appearance without the embedded threats.
  4. Anti-Phishing Mechanisms
    • URL Protection: Scanning and rewriting URLs in emails to point to safe browsing environments where the links are analyzed before allowing access.
    • Brand Impersonation Detection: Using AI to recognize attempts to impersonate trusted brands and flagging or blocking such emails.
    • User Training and Awareness: Providing in-line warnings and training to users about phishing attempts.
  5. Post-Delivery Protection
    • Continuous Monitoring: ICES solutions continuously monitor delivered emails for new threat intelligence updates. If a threat is detected post-delivery, automated actions can be taken.
    • Retrospective Analysis: Analyzing previously delivered emails when new threat intelligence becomes available, ensuring ongoing protection even after delivery.
    • Automated Remediation: Automatically removing or quarantining emails found to be malicious after they have been delivered to users’ inboxes.
  6. Integration with Existing Security Infrastructure
    • APIs and Connectors: ICES can integrate with other security tools and platforms through APIs and connectors, providing a cohesive security environment.
    • SIEM and SOAR Integration: Sending alerts and logs to Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) systems for centralized monitoring and automated response.
  7. Data Loss Prevention (DLP)
    • Sensitive Data Scanning: ICES scans outgoing emails for sensitive information and enforces policies to prevent unauthorized data exfiltration.
    • Policy Enforcement: Applying predefined DLP policies to block, quarantine, or encrypt emails containing sensitive data.
  8. Threat Intelligence
    • Real-Time Updates: Leveraging global threat intelligence feeds to stay updated with the latest threats and attack vectors.
    • Collaborative Intelligence: Sharing threat intelligence across different organizations and platforms to improve detection capabilities.

The Difference Between SEG and ICES


A secure email gateway (SEG) or a secure email server (SEC) is a type of email security software that sits between inbound and outbound email communication. Every email that is sent to and from an organization passes through this gateway to ensure that its contents are not malicious or a sign of a data leak. It prevents unwanted emails in user inboxes like spam, phishing emails, emails containing malware, and more. In many ways email gateways are the first line of defense for email security. 


The difference between ICES and SEG is that ICES solutions provide protection for cloud environments that can be on-premise or hybrid. ICES uses machine learning and natural language processing (NLP), and connects via API to understand an organizations email activity and protect against advanced phishing attacks. Unlike SEGs, which use a database of known threats, ICES has the capability to identify never before seen threats and socially engineered phishing emails. 

Email attacks ICES catches

Integrated Cloud Email Security (ICES) solutions are designed to catch a wide array of email-based attacks, including sophisticated and emerging threats that traditional email security measures might miss. Here are some of the key types of attacks that ICES can detect and mitigate:

Phishing & Spear Phishing

Phishing is the process of sending fraudulent emails, while posing as legitimate sender, to convince people to reveal sensitive information such as passwords, social security numbers, bank account information, and more. Spear phishing a type of phishing cyber-attack that targets a specific individual or organization rather than a broad audience. These attacks usually come in the form of email messages but ‘spear-phishing’ is a more specific way to describe a socially engineered phishing attempt that is targeted.

Account takeover

Account takeover fraud, or account compromise refers to a cyber-criminal gaining control of a legitimate account. This can happen when a threat actor successfully obtains an individual’s login credentials. Account takeover can be detrimental to business operations at any organization because with a legitimate account, attackers can operate covertly, have a stamp of credibility, and authority depending on who’s account is compromised.


BEC stands for Business Email Compromise. BEC involves attackers gaining unauthorized access to a company's email account or impersonating a trusted individual for the purpose of carrying out fraudulent actions such as transferring money or obtaining sensitive information through social engineering tactics.

CEO Fraud

CEO fraud is a form of impersonation where a threat actor will falsify their identity, acting as a CEO (or other executive) at an organization and attempt to communicate with other employees, such as members of the finance department. They trick using falsified versions of a high-ranking official’s credentials. These attacks are specifically focused on financial gain and often involve urgent requests for the transfer of money.​ 


Whaling is a heavily targeted phishing attack in which an attacker attempts to phish a high ranking official, often chief executives. These social engineering cyber-attacks contain information that is highly personalized to the intended target to encourage them to click a link that will download malware, transfer funds to the attacker, or share details that can facilitate further attacks. The effects of a successful whaling attack can be devastating, including data loss, financial loss, and reputational damage.

Zero-Day Exploits

Unknown Threats: ICES can identify and block zero-day exploits—attacks that exploit previously unknown vulnerabilities—using advanced techniques such as:

  • Sandboxing: Executing suspicious attachments in an isolated environment to observe their behavior.
  • Machine Learning: Leveraging AI to detect anomalous behavior indicative of zero-day exploits.
  • Behavioral Analysis: Monitoring the behavior of email content and attachments for signs of malicious activity.

How does ICES catch these email attacks?

These attacks use social engineering tactics to deceive users and solicit sensitive information. For example, a spear phishing attack might involve a cyber-criminal targeting a specific individual at an organization and messaging them via email. The email might be from a legitimate email address and will seem like a genuine request for information. An SEG does not have the capability to identify this as a strange request. However, an ICES develops on understanding of normal activity in the digital estate and can potentially detect suspicious behavior such as this.

Email Security Vendors: Darktace’s Approach to Email Security

Darktrace’s AI email security uses artificial intelligence and machine learning algorithms to prevent, detect, respond to, and heal from email attacks.

Through its unique understanding of you, rather than knowledge of past attacks, Darktrace/Email stops the most sophisticated and evolving email security risks like generative Al attacks, BEC, account takeover, human error, and ransomware.

In a Self-Learning AI model, the AI has the ability to understand the business from the inside out. That way when activity within the business deviates from ‘normal', the AI can identify this behavior and alert the security team. 

AI can also use real-time data to identify and respond to threats quickly, minimizing the potential damage and saving time for security teams who usually have to parse through a high number of flagged emails. 

One of the key benefits of integrated cloud email security and AI email security is that it can detect threats that may go unnoticed by traditional security systems, which often rely on pre-defined rules and patterns to identify threats. With AI, email security can continuously learn and adapt, providing more comprehensive protection against previously unknown email-based attacks.

Related glossary terms