Email security has always been a game of cat and mouse. Viruses invented, and antivirus software invented to catalog famous viruses and detect their presence in email attachments and URLs. As viruses evolved into more complex forms malware, cybersecurity tools tailored to scan and detect these new threats. Phishing became the next arena, giving rise to new tools as well as an entirely new category of protection known as security awareness training. Now, bad guys attack AI agents to bypass existing security fences.
“AI assistants, co-pilots and agents significantly expand the corporate attack surface in a way that traditional security architectures cannot handle,” said Todd Tiemann, cybersecurity research firm analyst Omdia.
Introduce a series of AI-powered features for Proofpoint Prime Threat Protection which were presented at the company's Proofpoint Protect 2025 event in September. They frustrate efforts hackers to thwart AI agents by scanning for potential threats before emails reach the inbox.
Traditional approach to email security
Most email security tools are designed to detect known bad signals, such as suspicious links, fake domains that look real, or attachments containing malware. This approach works well against regular phishingspam and known vulnerabilities. But now cybercriminals are targeting many AI assistants and AI agents built into workplaces.
They do this by using prompts (questions or commands in text or code form) that help artificial intelligence models and AI agents to either provide appropriate responses or perform specific tasks. Increasingly, emails contain hidden malicious hints that use invisible text or special formatting designed to deceive. generative AI tools such as Microsoft co-pilot And Google Gemini Perform unsafe activities such as leaking data or bypassing security checks.
“Fast injections and other exploits targeting AI represent a new class of attacks that use text data that manipulates machine thinking rather than human behavior,” Tiemann said.
Daniel Rapp, director of artificial intelligence and data at Proofgave an example: a standard used for email messages known as RFC-822 describes the use of headings, plain text, and HTML. Not all of this is visible to the user. Attackers take advantage of this by embedding instructions in messages that are invisible to humans but fully readable by the AI agent. When AI processes text, the built-in instructions are unintentionally executed. This could result in data theft or system behavior being changed or damaged. Outdated filters that detect malware or broken links don't see anything wrong.
Daniel Rapp, director of artificial intelligence and data at Proof.Proof
“In recent attacks, we are seeing cases where the HTML version and the plain text version are completely different,” Rapp said. “The email client displays the HTML version, while the invisible plain text contains a hint that the AI system can pick up and possibly respond to.”
There are two reasons why this strategy is effective: first, IIf the AI assistant has access to your inbox, it can automatically respond to an email the moment it arrives. Second, Rapp said the literal nature of AI agents makes them vulnerable to phishing and other attacks. social engineering tricks. A person may want to think twice before sending money to a Nigerian bank account. The AI agent can blindly execute a command.
What makes Proofpoint's approach different is that the company scans emails before they reach inboxes. He had a lot of practice. The company scans 3.5 billion emails every day, one-third of the total. Additionally, it crawls around 50 billion URLs and 3 billion attachments every day. This is done online, that is, while the email is traveling from sender to recipient.
“We have placed detection capabilities directly along the delivery path, which means latency and efficiency are critical,” Rapp said.
This required level of speed is achieved by training small AI models specifically for detection, based on examples and background knowledge of a large language model (LLM). For example, OpenAI GPT-5 is estimated to have as much 635 billion parameters. Going through that amount of data for every email is impossible. Proofpoint has tuned its models to approximately 300 million parameters. It cleans and compresses its models to achieve fast, low-latency performance without sacrificing detection accuracy. It also updates these models every 2.5 days so that it can effectively interpret the meaning of the message itself, rather than just looking for indicators. Thus, it detects hidden fast injections, malicious instructions and other AI exploits before delivery.
“By stopping attacks before they happen, Proofpoint prevents users from being compromised and AI being exploited,” Rapp said. “Our secure email gateway can see emails and block threats before they reach your inbox.”
Additionally, Proofpoint uses an ensemble detection architecture. Instead of relying on a single detection engine, it combines hundreds of behavioral, reputational and content signals to bypass attack vectors that can bypass a single method.
AI is changing the security game
Artificial intelligence agents are being implemented in enterprises and among consumers. Unfortunately, the rush to capitalize on the potential of AI often puts security issues on the back burner. The bad guys know this. They use artificial intelligence in their cybercrime methods and technologies to perfect the art of phishing in the era of AI agents.
“Security tools must evolve from detecting known bad indicators to interpreting the intentions of people, machines and artificial intelligence agents,” Tiemann said. “Approaches that detect malicious instructions or manipulative cues before delivery, ideally using distilled AI models for embedded, low-latency protection, address a significant gap in today's defenses.”
Proofpoint is ahead of the competition with these capabilities. Other cybersecurity providers are expected to follow suit in the coming months. However, what other AI threat will emerge by then?
Articles from your site
Related articles on the Internet
