• New research finds approximately 17% of email threats bypass Secure Email Gateways but are stopped by Darktrace’s AI^[1]
• New enhancements strengthen protection against threats that move across channels, like email bombing campaigns, as the volume of these attacks surges 100x
• New brand verification capabilities introduced as phishing attacks targeting Black Friday shoppers surged 1,317% in November^[2]
• Recognized across the industry for its AI-native approach, Darktrace / EMAIL™ was recently named a Leader in the 2025 Gartner® Magic Quadrant™ for Email Security Platforms (ESP)

Modern social engineering attacks no longer begin and end in the inbox. They move across identity platforms, SaaS tools, and collaboration apps, exploiting gaps between disconnected security products, and employing increasingly sophisticated techniques to evade traditional defenses and reach end users.

To address these challenges, Darktrace, a global leader in AI for cybersecurity, today announced a series of enhancements to Darktrace / EMAIL™ designed to detect and stop attacks spanning communications channels, strengthen outbound email protections and streamline SOC integrations. The new capabilities will help security teams catch sophisticated attacks that evade traditional email tools, protect sensitive data, and preserve trust in digital communications – all while reducing operational complexity in crowded security environments.

New Darktrace research shows that even with multiple layers of traditional email security in place, a significant share of dangerous messages still gets through. Across real-world deployments, Darktrace / EMAIL immediately identified the 17% of threats that bypassed SEGs, including highly targeted social engineering messages that appear routine or urgent, but contain no obvious payloads, such as impersonation attempts, fake payment or vendor change requests. Traditional methods miss these threats because they’re built to stop obvious spam and malware and, to avoid false positives, default to trusting emails that appear routine. Darktrace / EMAIL can stop these threats because its Self-Learning AI engine understands how each organization normally communicates and spots subtle changes in sender, tone, timing, and behavior that signal a threat, even when conventional tools see nothing unusual.

Enhanced Protection Against Cross-Channel Attacks

Attacks targeting users across their communications channels, like email bombing campaigns, are on the rise. Between April and July 2025, the volume of email bombing messages surged 100x, growing from 200,000 emails to more than 20 million observed across Darktrace’s email customer base. These campaigns flood inboxes with benign messages to create noise and confusion, then an attacker reaches out via other channels like Teams or a phone call, posing as IT support offering to resolve the issue, and uses that trust to gain access or carry out further malicious activity.  Because these emails often originate from legitimate services and contain no malicious payloads, traditional email tools struggle to detect them until the attack is already well underway, leaving organizations exposed.

To tackle the rise of multi-channel campaigns, Darktrace today introduced a new integration between Darktrace / EMAIL and Darktrace / IDENTITY™ for stronger multi-domain detection and response. When Darktrace / EMAIL detects suspicious patterns like an email bombing campaign, it can now share that signal with Darktrace / IDENTITY™ to increase sensitivity around the targeted user and more quickly spot attempted account takeovers or impersonation to stop attacks from progressing. The same cross-domain understanding and correlation extends into business applications such as Salesforce, where Darktrace can assess and action potentially malicious tickets created from email, giving security teams faster and more coordinated response across the environments they rely on most.

Darktrace has also strengthened detection accuracy by layering its behavioral insights with traditional threat intelligence, using integrated antivirus verdicts and structured feeds to enrich alerts with deeper context and enable faster, more confident triage.

These enhancements build upon Darktrace / EMAIL’s existing ability to combine behavioral and content analysis across inbound, outbound, and lateral email, as well as Microsoft Teams messaging to identify threats across the entire attack chain. It learns the normal communication patterns of every user and organization, analyzing thousands of data points for each message including language, tone, links, sender profile, historical behavior of sender and recipient, and activity across other digital channels. As a result, Darktrace spots the subtle, context-driven deviations that define modern attacks and provides earlier, more precise detections. This unique approach has been recognized across the industry, with Darktrace / EMAIL™ being named a Leader in the 2025 Gartner® Magic Quadrant™ for ESP and a 2025 Gartner® Peer Insights™ Customers’ Choice for ESP.

Securing Outbound Communications and Data

Darktrace observed a 1,317% month-over-month rise in phishing attacks targeting Black Friday in November, as attackers used seasonal targeting to exploit customer trust^[2]. This surge underscores how attackers are increasingly weaponizing impersonation and trusted channels, making securing outbound communications just as important as blocking inbound threats.

To help organizations tackle brand abuse and reinforce trust in their outbound messages, Darktrace / EMAIL–DMARC now includes full Brand Indicators for Message Identification (BIMI) support. BIMI enables organizations to display a verified brand logo directly in recipients’ inboxes, making legitimate communications easier to recognize. By pairing BIMI enforcement with Darktrace’s behavioral detection capabilities, organizations can authenticate outbound messages while identifying inbound emails that attempt impersonation, helping to protect both their brand and their users. Darktrace / EMAIL – DMARC is available at no additional cost for all Darktrace customers using Microsoft365.

At the same time, not all outbound risk comes from attackers. Human error remains a leading cause of data exposure, with mis-delivery accounting for 72% of all actions involving end users in internal breaches^[3]. To address this, Darktrace created the industry’s first label-free behavioral data loss prevention (DLP) powered by a proprietary domain-specific language model within Darktrace / EMAIL. The solution can now automatically identify over 35 new categories of Personally Identifiable Information (PII) and Protected Health Information (PHI) across emails and attachments including personal, financial, and health data. By learning how each user typically handles sensitive information, and intervening when outbound behavior deviates from expected patterns, this behavioral approach adds a real-time, contextual safeguard against misaddressed messages and unintended data sharing.

Together, BIMI support and behavioral DLP help organizations secure both who appears to be sending an email and what is being sent, strengthening trust in outbound communications while reducing the risk of sensitive data exposure.

New Integrations Help Reduce Friction and Accelerate Investigations

To help SOC teams move faster without adding operational complexity, Darktrace / EMAIL now includes new integrations that streamline investigations and plug into existing workflows:

• Jira and ServiceNow Integrations: Darktrace can now automatically create a Jira or ServiceNow ticket, so every report is captured, tracked, and routed through the organization’s established processes.
• Sandbox Analysis Integration: Analysts can analyze payload behavior in isolated environments directly within the Darktrace UI to quickly validate threats and close cases with confidence.

These new capabilities build on Darktrace / EMAIL’s existing ecosystem integrations, including recent integration with Microsoft Defender for Office 365, that delivers unified quarantine management, so security teams can see and control emails actioned by both products in one place, with full Darktrace visibility in Microsoft 365, and the Darktrace Email Analysis Agent for Microsoft Security Copilot. The agent lets analysts ask questions in plain language and pulls Darktrace / EMAIL insights, including alerts, device details, Cyber AI Analyst™ incidents, and email-related threats, directly into their Copilot investigations. This helps teams quickly see what’s happening, where, and who is involved, all from a single conversational view.

Together, these integrations give security teams consolidated visibility and faster investigations, streamlining workflows for organizations managing complex, multi-tool environments.

“Email is the starting point for attacks that quickly expand into other parts of the digital ecosystem and can escalate into compromised identities, cloud access abuse, or manipulation of collaboration tools - well beyond what traditional email defenses are built to handle,” said Connie Stride, SVP of Product, Darktrace. “With our latest Darktrace / EMAIL™ innovations, we extend multi-domain detection by linking behavioral signals across email, identity, and SaaS to uncover advanced attacks that move across channels, while strengthening safeguards on outbound messages. These capabilities give security teams the visibility and precision to stop modern attacks before they progress and preserve trust in every interaction.”

Additional Resources ‍

• Tune into Darktrace’s Innovation Launch on December 9^th to learn more about our latest innovations.
• To learn more about Darktrace / EMAIL, check out the product page.
• Download a copy of 2025 Gartner® Magic Quadrant™ for Email Security Platforms report here.
• Learn more about Darktrace’s Black Friday phishing analysis and discover top tips to stay safe here.
• Download relevant images and logos here.

About Darktrace

Darktrace is a global leader in AI for cybersecurity that keeps organizations ahead of the changing threat landscape every day. Founded in 2013, Darktrace provides the essential cybersecurity platform protecting organizations from unknown threats using its proprietary AI that learns from the unique patterns of life for each customer in real-time. The Darktrace ActiveAI Security Platform™ delivers a proactive approach to cyber resilience to secure the business across the entire digital estate – from network to cloud to email. It provides pre-emptive visibility into the customer’s security posture, transforms operations with a Cyber AI Analyst™, and detects and autonomously responds to threats in real-time. Breakthrough innovations from our R&D teams in Cambridge, UK, and The Hague, Netherlands have resulted in over 200 patent applications filed. Darktrace’s platform and services are supported by over 2,300 employees around the world who protect nearly 10,000 customers across all major industries globally. To learn more, visit  http://www.darktrace.com.

^[1] According to internal Darktrace research. The figure is a volume-weighted average from real enterprise environments where Darktrace / EMAIL ran alongside native email security and a widely deployed leading SEG and represents the share of inbound threats that bypassed those controls but were detected by Darktrace.

^[2] Based on live tracking of phishing emails mentioning ‘Black Friday’ [1 October – 30 November 2025].

^[3] Verizon, 2025 Data Breach Investigations Report (DBIR), p. 22.