Darktrace Email Boosts Detection, DLP, and SOC Tools
▼ Summary
– Darktrace has enhanced its EMAIL product to detect multi-channel attacks, strengthen outbound email security, and streamline SOC integrations, aiming to catch sophisticated threats that evade traditional tools.
– Its Self-Learning AI identifies subtle behavioral deviations in communication, catching the 17% of threats like targeted social engineering that bypass conventional email security gateways.
– A new integration with Darktrace/IDENTITY helps detect cross-channel attacks, such as email bombing campaigns, by correlating signals to spot follow-up account takeover attempts.
– The platform now includes BIMI support for outbound brand authentication and a behavioral data loss prevention model to prevent sensitive data exposure from human error.
– New SOC integrations with Jira, ServiceNow, and sandbox analysis, alongside existing tools like Microsoft Copilot, consolidate visibility and accelerate investigations.
Darktrace has unveiled significant upgrades to its Darktrace / EMAIL platform, focusing on improved threat detection, data loss prevention, and streamlined security operations center workflows. These enhancements are designed to combat sophisticated multi-channel attacks that bypass conventional security tools, secure outbound communications, and reduce operational friction for analysts. The core of the platform remains its Self-Learning AI, which builds a unique understanding of an organization’s communication patterns to identify subtle, behavioral anomalies indicative of a threat.
Recent Darktrace research underscores a critical gap in email security. Even with layered defenses in place, a substantial number of dangerous messages evade detection. In real-world deployments, Darktrace / EMAIL identified 17% of threats that had slipped past traditional secure email gateways (SEGs). These included highly targeted social engineering attempts like impersonation and fake payment requests, emails that contain no malicious payloads and appear routine, making them invisible to tools focused solely on spam and malware.
The rising trend of cross-channel attacks presents a new challenge. Tactics like email bombing campaigns have surged dramatically, with observed volumes increasing 100-fold in a recent quarter. These campaigns flood inboxes with harmless messages to create confusion, after which attackers contact victims via alternate channels like Microsoft Teams or phone, posing as IT support to exploit trust. Since the initial emails are often from legitimate services, traditional tools fail to detect the coordinated attack.
To address this, Darktrace introduced a new integration between Darktrace / EMAIL and Darktrace / IDENTITY. When suspicious patterns like an email bombing campaign are detected, signals are shared to increase monitoring sensitivity around targeted users. This enables faster identification of attempted account takeovers or impersonation across domains, stopping attacks before they escalate. This cross-domain correlation also extends to business applications like Salesforce, allowing for coordinated response to malicious tickets created from email.
Detection accuracy is further strengthened by layering behavioral insights with enriched threat intelligence, using integrated antivirus verdicts and structured data feeds to provide deeper context for alerts.
Securing outbound communications is equally vital. A massive observed increase in seasonal phishing attacks highlights how attackers weaponize trusted channels. To combat brand impersonation, Darktrace / EMAIL–DMARC now supports Brand Indicators for Message Identification (BIMI), allowing organizations to display verified brand logos in recipients’ inboxes to authenticate legitimate outbound messages.
Simultaneously, human error remains a leading cause of data exposure. Darktrace’s behavioral data loss prevention (DLP), powered by a proprietary language model, can identify over 35 new categories of sensitive information (PII/PHI) in emails and attachments. By learning how each user typically handles data, it intervenes in real-time when outbound behavior deviates, adding a contextual safeguard against misaddressed emails.
To accelerate SOC investigations, new integrations reduce workflow friction. Automated ticketing for Jira and ServiceNow ensures every alert is captured and routed through established processes. A Sandbox Analysis integration lets analysts examine payload behavior in isolated environments directly within the Darktrace interface for rapid threat validation.
These additions build upon existing ecosystem integrations, including with Microsoft Defender for Office 365 for unified quarantine management. The Darktrace Email Analysis Agent for Microsoft Security Copilot allows analysts to use plain language queries, pulling Darktrace insights directly into their investigations for a consolidated, conversational view of alerts and threats.
“Email is often the launchpad for attacks that rapidly expand into identity compromise, cloud access abuse, and manipulation of collaboration tools, scenarios beyond the scope of traditional email defenses,” explained Connie Stride, SVP of Product at Darktrace. “Our latest innovations extend multi-domain detection by linking behavioral signals across email, identity, and SaaS to uncover advanced, cross-channel attacks while strengthening safeguards on outbound messages. This gives security teams the precision and visibility needed to stop modern attacks early and preserve trust in every digital interaction.”
(Source: HelpNet Security)
