Darktrace has announced a series of new capabilities for its Darktrace / EMAIL platform aimed at detecting and stopping increasingly sophisticated, cross-channel cyberattacks. The enhancements are designed to protect organisations from threats that traverse email, identity platforms, cloud applications and collaboration tools, while also strengthening outbound trust and reducing data-loss risks.
The update comes as Darktrace research shows that around 17 per cent of email threats bypass traditional Secure Email Gateways (SEGs), yet were immediately detected by Darktrace’s behavioural AI systems. These threats often include highly targeted social-engineering attempts—such as impersonation, payment-diversion requests and vendor-change scams—that contain no obvious malicious payloads and therefore evade signature-based tools.
Cross-channel attack detection
Darktrace reports a sharp rise in multi-channel campaigns, including email bombing attacks that surged 100-fold between April and July 2025. These attacks flood inboxes with benign messages to overload victims before attackers switch to another medium, such as phone calls or collaboration apps, to gain trust and escalate the intrusion.
To counter these tactics, the company has introduced a new integration between Darktrace / EMAIL and Darktrace / IDENTITY. When the email platform detects unusual patterns—such as inbox flooding—it can signal the identity platform to heighten monitoring for account-takeover activity. Darktrace says this cross-domain correlation also extends into business tools such as Salesforce, enabling faster analysis of potentially malicious tickets created from email.
The platform now blends its behavioural analysis with threat-intelligence feeds and antivirus verdicts to improve alert accuracy and support faster investigations.
Outbound protection and brand-trust safeguards
Darktrace observed a 1,317 per cent month-over-month spike in phishing campaigns targeting Black Friday shoppers, reinforcing the need to secure both inbound and outbound messages.
To address this, Darktrace / EMAIL–DMARC now supports full Brand Indicators for Message Identification (BIMI). Organisations can display verified logos in recipients’ inboxes, strengthening brand recognition and helping users distinguish legitimate messages from impersonation attempts. BIMI support is available at no additional cost for Darktrace customers using Microsoft 365.
The company has also expanded its behavioural data-loss prevention (DLP) capabilities. Using a proprietary domain-specific language model, Darktrace can now automatically detect more than 35 new categories of personal and health information in emails and attachments. By learning each user’s normal handling of sensitive data, the system can intervene when an outbound message deviates from typical behaviour—helping prevent misdirected emails, which account for a significant share of user-related data-exposure incidents.
New integrations for SOC efficiency
To streamline analyst workflows, Darktrace / EMAIL now integrates with Jira and ServiceNow for automatic case creation and tracking. A new sandbox analysis feature also allows security teams to examine suspicious payload behaviour directly within the Darktrace interface.
These updates build on existing integrations with Microsoft Defender for Office 365 and Microsoft Security Copilot, enabling unified quarantine control and natural-language retrieval of Darktrace insights within Copilot investigations.
Connie Stride, SVP of Product at Darktrace, said modern attacks frequently cross traditional security boundaries. “Email is the starting point for attacks that quickly expand into other parts of the digital ecosystem,” she said. “Our latest Darktrace / EMAIL innovations link behavioural signals across email, identity and SaaS systems to expose advanced attacks that move across channels, while also strengthening safeguards on outbound messages.”
The company says the new capabilities are designed to give security teams greater visibility, faster detection and coordinated response as attackers adopt more complex, multi-domain methods.
