Learn about the benefits of flexible deployment with Darktrace's cutting-edge technology. Explore how to stay ahead of email attacks and stay safe with AI.
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Carlos Gray
Senior Product Marketing Manager, Email
Share
20
Apr 2023
With the widespread adoption of cloud email services, security vendors are collaborating with cloud providers to offer faster and more seamless ways of rolling out security solutions like API-driven one-click deployment. These new methods of deployment can install in seconds, reduce the risk of email disruption and scale without any additional configurations.
Third-party SEGs (Secure Email Gateways) traditionally provided the foundation for email security and operations, operating via an on-premises or virtual appliance or a cloud service. SEGs process and screen all email traffic according to a set of pre-defined rules to protect against phishing attacks. In order to implement, these solutions require organizations to reroute their mail exchange (MX) record to direct emails towards the SEG.
In recent years Microsoft and Google have leveled up their security significantly, making valuable extensions to foundational email security. However, it is just that, foundational. The current email threat landscape has led to more sophisticated malware delivery techniques and social engineering tactics, creating demand for advanced email security solutions that can collaborate with native vendors and combine diverse approaches to provide in-depth defense – for example, the established partnership between Darktrace and Microsoft. Indeed, Gartner reported that the industry is moving towards a combination of native provider security and API-based vendors, allowing for full-breadth coverage of the variety of use cases.
API-driven deployment
With cloud email services now ubiquitous for almost every business, it makes sense for email security vendors to leverage these cloud services for deployment. Because these products co-exist with, rather than replace, the in-built security of cloud email, they don’t require rerouting the domain name services mail exchanger (DNS MX) record. Instead, vendors can offer seamless delivery of their products by using APIs, which integrate fully via cloud applications without affecting the email delivery path – making installation and uninstallation straightforward while offering uninterrupted workflows.
And communication doesn’t stop at email; in the world of hybrid work, email is just one of the tools employees use to connect and send sensitive information. APIs allow security solutions to integrate with other collaboration tools – including Microsoft Teams, Slack, Salesforce and Dropbox – to allow for full visibility of an organization beyond just the inbox.
API + Journaling
While APIs are unmistakably the future of deployment, they can also be easily augmented. That’s where API+Journaling comes in. Where API-only analyzes emails after they have passed through initial cloud security, and has the ability to quarantine or return them to the inbox post-delivery, API with added journaling in Microsoft 365 takes the raw email data before it enters the inbox to analyze in parallel with the provider’s native security.
As both scenarios take place at machine speed the difference is often imperceptible, but there can be instances where API-only is marginally slower – in certain cases even a second can be detrimental when dealing with such a critical communication platform as email. For these organizations, journaling reduces latency to ensure best in class detection speeds, as much as 30 times faster than API-only.
Figure 1: Darktrace deploys in parallel, without any changes to the delivery path and no risk of operational outage
Darktrace/Email: Flexible Deployment to Suit You
In a crowded market for ICES vendors, those who can offer flexible deployment will remain ahead of the game. Organizations should be able to choose from speedy deployment using API-only, or longer deployment with journaling – with the option to deploy via cloud or on-premise.
Darktrace/Email offers the best of both worlds – giving customers the choice of deployment via API or API+Journaling in Microsoft 365 to meet their organization’s needs. Equally, they can choose to deploy fully via cloud or fully on premise, whichever best suits their team setup. Either way, there’s no change to the email path. With 1-click deployment that installs in seconds, or 5-minute deployment with added journaling – it can scale from just a handful of inboxes to tens of thousands, without any re-routing or additional configurations aside from accepting permissions.
Figure 2: 1-Click deployment installs in seconds via API, with advanced API+Journaling options for reduced latency.
Added features increase the efficiency of workflows to benefit teams – such as the ability to recuperate a delivered message from a user’s inbox post-delivery, whether it is in bulk or a single email. Seamless integration within the email application creates an intuitive user experience, introducing non-invasive banners and simple AI analysis inside the inbox.
Security teams can also get a clearer picture of how effective their current email solution is, as emails aren’t stopped by the SEG before reaching the provider – allowing for improved visibility from first deployment.
Darktrace works with email providers to take advantage of their native security and combine it with our Self-Learning AI, offering flexibility without compromising on speed of deployment. This approach enhances detection by leveraging the same API connections to gather additional context from other SaaS applications like Microsoft Teams and SharePoint – hardening defenses across the organization.
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Journey of a Threat: How Multi-Layered AI Works in Darktrace / EMAIL
Follow a malicious email as it moves through Darktrace / EMAIL’s multi-layered AI system, from raw data to final decision. Each layer works together to detect threats, understand intent, and take autonomous action.
How email-delivered prompt injection attacks can target enterprise AI – and why it matters
Prompt injection is a newly emerging threat, with only a handful of confirmed victims so far – targeting how AI systems use data rather than exploiting traditional software vulnerabilities. As agentic AI becomes embedded across enterprise environments, attackers may attempt to manipulate these systems through hidden instructions in everyday email content.
Security After Signatures: Operating in a World of Pre‑CVE Disclosure Exploitation, Collapsed Trust Boundaries, and Autonomous Systems
Three shifts have reshaped what it means to defend an enterprise securely.
First, exploitation often begins before defenders have a Common Vulnerabilities and Exposures (CVE) identifier, a security advisory, or an entry in the Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) catalog.
Secondly, the trust boundary has moved beyond the network edge into identities, tokens, APIs, and Software-as-a-Service (SaaS) workflows.
Third, an increasing share of business activity is executed through automation, integrations, and AI agent-like systems that can act faster than teams can verify intent.
If your security model still relies on detecting known bad artefacts, triaging isolated alerts, and waiting for confirmation before acting, you are already behind the threat.
This is not a failure of security teams; it’s a failure of the operating model to keep pace with how the environment has changed.
A SOC built around alerts and signatures assumes that malicious activity will eventually surface as an event. In real incidents, however, the decisive evidence is rarely a single event. Instead, it is a chain of individually explainable actions that only appears malicious once you connect the dots across identity, non-human identity, cloud, email, SaaS, operational technology (OT), and network telemetry.
The defenders succeeding today observe behaviors, link them into sequences, understand what those sequences mean, and contain impact before the full story unfolds. That is the operating model the current threat environment demands.
In one example, Darktrace observed a sequence of subtle but strategically significant anomalies within a customer environment that later aligned with exploitation of CVE‑2025‑0994 in Trimble Cityworks by likely Chinese-nexus threat actors. Behavioral indicators were visible at least 18 days before public disclosure, with related anomalies emerging 40 to 50 days earlier during the intrusion window.
This case illustrates a familiar pattern: clusters of weak‑signal anomalies combing to form an actionable picture of intrusion long before a CVE is published. Such activity reflects long‑horizon, option‑preserving operator models often associated with mature state‑linked activity.
Figure 1: Darktrace’s detection of malicious exploitation of CVE 2025-0994, later tied to Chinese-nexus threat actors targeting critical national infrastructure (CNI) in the US, weeks before public disclosure.
Throughout 2025 and 2026, Darktrace has continued to observe the value of anomaly-based detections across a range of incidents.
CVE
CVE public disclosure date
Darktrace detection date
Days between detection of exploitation and CVE public disclosure
CVE-2025-0994Trimble Cityworks
2025-02-06
2025-01-19
18 days
CVE-2025-24183Apache
2025-03-10
2025-02-18
20 days
CVE-2025-10035Fortra GoAnywhere
2025-09-18
2025-09-11
7 days
CVE-2026-0257PAN-OS
2026-05-13
—
—
Identity is the real control plane
The second shift is that identity has replaced perimeter as the primary control plane. As Darktrace’s Annual Threat Report 2026 illustrated, identity remains the main challenge in defending against modern intrusions. A clear example is the Adversary-in-the-Middle (AiTM) case published by Darktrace in December 2025. A phishing email led to the compromise of an Office 365 account. Session hijacking bypassed multi-factor authentication (MFA), and the compromised account was used for follow-on phishing and persistence activities including the creation of malicious email rules.
Every step in that sequence mattered. A successful login alone does not prove legitimacy. An inbox rule, on its own, may not appear catastrophic. Mail activity, viewed in isolation, may seem operationally normal. But the behavioral chain tells a different story: credential theft, token abuse, persistence, and onward compromise through a trusted identity.
This is why the question is no longer “Did the user authenticate successfully”. The more important question is, “Does this identity action make sense right now, in this context, given what came before it?” The AiTM case shows how identity can be compromised. In practice, however, attacks rarely remained confined to identity alone.
In another Darktrace case, a compromised SaaS account triggered activity across the email, SaaS, and network layers, including inbox rule changes, phishing propagation, and connections to suspicious infrastructure. Viewed in isolation, none of these events were decisive. Together, however, they formed a behavioral sequence that revealed the intrusion, with the full attack story automatically correlated and surfaced to defenders by Darktrace’s Cyber AI Analyst.
Figure 2: Cyber AI Analyst correlated and appended additional events to the incident, including other users who connected to the suspicious redirect link after outbound phishing emails were sent.
AI accelerates the threat
The third shift is the one many teams still underestimate: trusted tooling, integrations, and AI agent-like systems can create actions that appear legitimate but are strategically dangerous.
The shift becomes clearer when examining how governments are now framing AI risk. In 2026, guidance published by CISA, UK’s National Cyber Security Centre (NCSC) and Five Eyes partners warned that agentic systems expand attack surfaces, accumulate privilege, and can behave in ways that are difficult to predict or explain [1]. The advice is simple: assume unexpected behavior and design controls around it.
The real risk is not AI usage. It is unknown autonomy: systems with credentials, data access, and action paths that can execute workflow steps without sufficient behavioral validation, traceability, or human oversight. Darktrace’s Model Context Protocol (MCP) risk analysis provides a useful framework for understanding this challenge. Over-privileged agents, content injection, and tool abuse become high-consequence risks when connected systems can dynamically retrieve data, execute actions, and communicate externally.
Whether security teams like it or not, AI is already in the enterprise. It will help drive innovation, but it will also be abused, whether accidentally or maliciously. In each of the cases below, AI either scaled the attacker, built the tooling, or existed within the environment as something to exploit or misuse.
1. AI as an Attack Multiplier
In one campaign targeting Mexican government entities, a single operator used commercial AI platforms to generate exploits, automate reconnaissance, and process large volumes of data, compressing work that would traditionally have required an entire team into a single workflow [2].
Attempted AI exploitation is now appearing within customer environments. In one case involving an automation technology manufacturer, a compromised LLM proxy was seemingly used as a stepping stone to access additional AI services. When that attempt failed, the attacker pivoted to cryptomining.
What is clear is that the AI layer has already become an asset worth probing, exploiting, and pivoting through. It is also clear that defenders benefit from rapidly understanding how these activities connect. In this case, Cyber AI Analyst automatically pieced together the intrusion, while Darktrace’s Managed Threat Detection service alerted to the customer, enabling the activity to be contained before it could progress further.
Figure 3: Cyber AI Analyst's investigation into a compromised LLM proxy that was abused for cryptomining activity.
AI as a trusted but dangerous actor
This does not require a cinematic vision of “rogue AI.” The Salesloft incident provides a more grounded example, where AI and automation operate with legitimate access but served malicious intent. In that case, attackers abused compromised OAuth tokens associated with the Drift AI chat agent to export significant volumes of data from Salesforce environments.
The activity resembled legitimate API usage and relied on trusted SaaS integrations rather than malware or other obvious signs of intrusion. That is precisely the challenge. Traditional security controls are good at detecting forced entry, but far less effective when a trusted application integration behaves in a way that is technically permitted yet operationally harmful.
In these scenarios, the security challenge shifts from validating access to validating behavior.
This is what that looks like in practice: AI-linked identities executing legitimate actions that require behavioral validation rather than access validation.
Figure 4: Darktrace / SECURE AI highlights anomalous activity across AI identities, surfacing critical behavior that requires validation and containment.
Early observations from Darktrace / SECURE AI deployments reinforce this reality. Across Darktrace's observed fleet, AI service connections per deployment increased 13% during the first half of 2026, reaching over 16 million connections overall. The typical organisation now interacts with seven different AI providers, evidence that AI is no longer operating at the edges of the enterprise. It is increasingly woven into day-to-day business activity.
The most common risks are not compromised models or advanced AI attacks. Instead, they stem from employees and business functions exposing sensitive information through entirely legitimate-looking interactions. Darktrace has observed repeated submission of personally identifiable information (PII), tax information, identification documents, and medical data into LLM prompts, alongside widespread use of unsanctioned (shadow) AI services and growing AI activity from mobile devices.
For defenders, the challenge is increasingly one of context: understanding when legitimate business use crosses into material risk, while preserving privacy and user trust.
Conclusion
Across all three shifts, the pattern is the same: behavior precedes understanding. Security teams are not losing because adversaries have become invisible. An increasingly outdated security model assumes that malicious activity will reveal itself cleanly and early. It no longer does.
In 2026 and beyond, defenders win by understanding behavioral sequences, continuously validating trust, and acting before certainty becomes hindsight. That is security after signatures. That is security in the AI era.
Credit to: Daniel Levy, Threat Hunting Data Scientist
2026年6月12日、DarktraceはLiteLLM-Proxyという名前のAmazon Web Service (AWS) EC2インスタンスから暗号通貨マイニング発生中とみられるアクティビティを観測しました。このインスタンスはLiteLLMアクティビティをサポートしており、Amazon Bedrockリソースへのアクセス権を有するインスタンスプロファイルと関連付けられていました。