Email security has always been a cat-and-mouse game. Viruses are invented, and antivirus software is invented to catalog known viruses and detect their presence in email attachments and URLs. As viruses morphed into more sophisticated forms of malware, cybersecurity tools adapted to be able to scan for and detect these new threats. Phishing became the next arena, giving birth to new tools as well as a whole new category of defense known as security awareness training. Now, the bad guys are attacking AI agents to bypass current security guardrails.
“AI assistants, copilots, and agents significantly expand the enterprise attack surface in ways that traditional security architectures were not designed to handle,” said Todd Thiemann, a cybersecurity analyst at research firm Omdia.
Enter a series of AI-based features for Proofpoint Prime Threat Protection that were introduced at the company’s Proofpoint Protect 2025 event in September. They thwart the efforts of hackers to subvert the actions of AI agents by scanning for potential threats before email messages arrive at an inbox.
Traditional Approach to Email Security
Most email security tools are designed to spot known bad signals like suspicious links, fake domains that look real, or attachments carrying malware. This approach works well against conventional phishing, spam, and known exploits. But cybercriminals are now going after the many AI assistants and AI agents that have become embedded in the workplace.
They do this by taking advantage of prompts (questions or commands in text or code form) that guide AI models and AI agents to either produce relevant responses or execute certain tasks. Increasingly, emails carry hidden, malicious prompts that use invisible text or special formatting designed to trick generative AI tools like Microsoft Copilot and Google Gemini into taking unsafe actions, such as exfiltrating data or bypassing security checks.
“Prompt injections and other AI-targeted exploits represent a new class of attacks that use text-based payloads that manipulate machine reasoning rather than human behavior,” said Thiemann.
Daniel Rapp, Chief AI and Data Officer at Proofpoint, provided an example: The standard used for email messages known as RFC-822 lays out the use of headers, plain text, and HTML. Not all of this is visible to a user. Attackers take advantage of this by embedding instructions in messages that are invisible to humans but fully readable by an AI agent. When AI processes the text, the embedded instructions are inadvertently executed. This can lead to data being exfiltrated or system behavior being altered or corrupted. Legacy filters looking for malware or malformed links see nothing amiss.
Daniel Rapp, Chief AI and Data Officer at Proofpoint.Proofpoint
“In recent attacks we are seeing cases where the HTML and plain text version are completely different,” said Rapp. “The email client renders the HTML version while invisible plain text contains a prompt injection that can be picked up and possibly acted on by an AI system.”
There are two reasons why this strategy is proving effective: First, if an AI assistant has access to an inbox, it can automatically act on an email the instant it arrives. Second, Rapp said the literal nature of AI agents makes them susceptible to phishing and other social engineering tricks. A human might think twice about sending money to a Nigerian bank account. An AI agent might blindly carry out a command to do so.
What differentiates the Proofpoint approach is that the company scans emails before they hit inboxes. It’s had plenty of practice. The company scans 3.5 billion emails every day, one third of the global total. In addition, it scans close to 50 billion URLs and 3 billion attachments daily. This is done inline i.e., while the email is traveling from the sender to the recipient.
“We have placed detection capabilities directly in the delivery path, which means latency and efficiency are critical,” said Rapp.
This necessary level of speed is accomplished by training smaller AI models specifically on detection, based on examples and the foundational knowledge of a large language model (LLM). For example, OpenAI’s GPT-5 is estimated to have as many as 635 billion parameters. Wading through that amount of data for every email isn’t feasible. Proofpoint has fine-tuned its models down to about 300 million parameters. It distills and compresses its models to attain low-latency, in-line performance without sacrificing detection fidelity. It also updates those models every 2.5 days to be able to effectively interpret the intent of the message itself, not just scan for indicators. In this way, it spots concealed prompt injections, malicious instructions, and other AI exploits before delivery.
“By stopping attacks pre-delivery, Proofpoint prevents user compromise and AI exploitation,” said Rapp. “Our secure email gateway can see emails and stop threats before they hit the inbox.”
In addition, Proofpoint uses an ensemble detection architecture. Instead of relying on a single detection mechanism, it combines hundreds of behavioral, reputational, and content-based signals to get around attack vectors that might navigate their way past one method.
AI Changes the Security Game
AI agents are being rolled out across the enterprise and consumer landscape. Unfortunately, the rush to capitalize on AI’s potential often relegates security to an afterthought. The bad guys know this. They are AI-enabling their cybercrime techniques and technologies to perfect the art of phishing for the AI agent era.
“Security tooling must evolve from detecting known bad indicators to interpreting intent for humans, machines, and AI agents,” said Thiemann. “Approaches that identify malicious instructions or manipulative prompts pre-delivery, ideally using distilled AI models for low-latency inline protection, address a significant gap in today’s defenses.”
Proofpoint is ahead of the pack with the role out of these capabilities. Expect other cybersecurity vendors to follow suit in the coming months. By that time, however, what other AI-borne threat will emerge?
From Your Site Articles
Related Articles Around the Web
