Darktrace announced a series of enhancements to Darktrace / EMAIL designed to detect and stop attacks spanning communications channels, strengthen outbound email protections, and streamline SOC integrations. The new capabilities will help security teams catch sophisticated attacks that evade existing email tools, protect sensitive data, and preserve trust in digital communications, all while reducing operational complexity.
New Darktrace research shows that even with multiple layers of email security in place, a significant share of dangerous messages still gets through. Across real-world deployments, Darktrace / EMAIL immediately identified the 17% of threats that bypassed SEGs, including highly targeted social engineering messages that appear routine or urgent, but contain no obvious payloads, such as impersonation attempts, fake payment or vendor change requests. Traditional methods miss these threats because they’re built to stop obvious spam and malware and, to avoid false positives, default to trusting emails that appear routine.
Darktrace / EMAIL can stop these threats because its Self-Learning AI engine understands how each organization communicates and spots subtle changes in sender, tone, timing, and behavior that signal a threat, even when conventional tools see nothing unusual.
Enhanced protection against cross-channel attacks
Attacks targeting users across their communications channels, like email bombing campaigns, are on the rise. Between April and July 2025, the volume of email bombing messages surged 100x, growing from 200,000 emails to more than 20 million observed across Darktrace’s email customer base. These campaigns flood inboxes with benign messages to create noise and confusion, then an attacker reaches out via other channels like Teams or a phone call, posing as IT support offering to resolve the issue, and uses that trust to gain access or carry out further malicious activity.
Because these emails often originate from legitimate services and contain no malicious payloads, traditional email tools struggle to detect them until the attack is already well underway, leaving organizations exposed.
To tackle the rise of multi-channel campaigns, Darktrace introduced a new integration between Darktrace / EMAIL and Darktrace / IDENTITY for stronger multi-domain detection and response. When Darktrace / EMAIL detects suspicious patterns like an email bombing campaign, it can now share that signal with Darktrace / IDENTITY to increase sensitivity around the targeted user and more quickly spot attempted account takeovers or impersonation to stop attacks from progressing.
The same cross-domain understanding and correlation extends into business applications such as Salesforce, where Darktrace can assess and action potentially malicious tickets created from email, giving security teams faster and more coordinated response across the environments they rely on most.
Darktrace has also strengthened detection accuracy by layering its behavioral insights with threat intelligence, using integrated antivirus verdicts and structured feeds to enrich alerts with deeper context and enable faster, more confident triage.
These enhancements build upon Darktrace / EMAIL’s existing ability to combine behavioral and content analysis across inbound, outbound, and lateral email, as well as Microsoft Teams messaging to identify threats across the entire attack chain. It learns the normal communication patterns of every user and organization, analyzing thousands of data points for each message including language, tone, links, sender profile, historical behavior of sender and recipient, and activity across other digital channels.
As a result, Darktrace spots the subtle, context-driven deviations that define modern attacks and provides earlier, more precise detections.
Securing outbound communications and data
Darktrace observed a 1,317% month-over-month rise in phishing attacks targeting Black Friday in November, as attackers used seasonal targeting to exploit customer trust. This surge shows how attackers are weaponizing impersonation and trusted channels, making securing outbound communications just as important as blocking inbound threats.
To help organizations tackle brand abuse and reinforce trust in their outbound messages, Darktrace / EMAIL–DMARC now includes Brand Indicators for Message Identification (BIMI) support. BIMI enables organizations to display a verified brand logo directly in recipients’ inboxes, making legitimate communications easier to recognize.
By pairing BIMI enforcement with Darktrace’s behavioral detection capabilities, organizations can authenticate outbound messages while identifying inbound emails that attempt impersonation, helping to protect both their brand and their users.
At the same time, not all outbound risk comes from attackers. Human error remains a leading cause of data exposure, with mis-delivery accounting for 72% of all actions involving end users in internal breaches. To address this, Darktrace created the behavioral data loss prevention (DLP) powered by a proprietary domain-specific language model within Darktrace / EMAIL. The solution can identify over 35 new categories of Personally Identifiable Information (PII) and Protected Health Information (PHI) across emails and attachments including personal, financial, and health data.
By learning how each user handles sensitive information, and intervening when outbound behavior deviates from expected patterns, this behavioral approach adds a real-time, contextual safeguard against misaddressed messages and unintended data sharing.
Together, BIMI support and behavioral DLP help organizations secure both who appears to be sending an email and what is being sent, strengthening trust in outbound communications while reducing the risk of sensitive data exposure.
New integrations help reduce friction and accelerate investigations
To help SOC teams move faster without adding operational complexity, Darktrace / EMAIL now includes new integrations that streamline investigations and plug into existing workflows:
- Jira and ServiceNow integrations: Darktrace can now automatically create a Jira or ServiceNow ticket, so every report is captured, tracked, and routed through the organization’s established processes.
- Sandbox Analysis integration: Analysts can analyze payload behavior in isolated environments directly within the Darktrace UI to quickly validate threats and close cases with confidence.
These new capabilities build on Darktrace / EMAIL’s existing ecosystem integrations, including recent integration with Microsoft Defender for Office 365, that delivers unified quarantine management, so security teams can see and control emails actioned by both products in one place, with Darktrace visibility in Microsoft 365, and the Darktrace Email Analysis Agent for Microsoft Security Copilot.
The agent lets analysts ask questions in plain language and pulls Darktrace / EMAIL insights, including alerts, device details, Cyber AI Analyst incidents, and email-related threats, directly into their Copilot investigations. This helps teams see what’s happening, where, and who is involved, all from a single conversational view.
Together, these integrations give security teams consolidated visibility and faster investigations, streamlining workflows for organizations managing complex, multi-tool environments.
“Email is the starting point for attacks that quickly expand into other parts of the digital ecosystem and can escalate into compromised identities, cloud access abuse, or manipulation of collaboration tools – well beyond what traditional email defenses are built to handle,” said Connie Stride, SVP of Product, Darktrace.
“With our latest Darktrace / EMAIL innovations, we extend multi-domain detection by linking behavioral signals across email, identity, and SaaS to uncover advanced attacks that move across channels, while strengthening safeguards on outbound messages. These capabilities give security teams the visibility and precision to stop modern attacks before they progress and preserve trust in every interaction.”