TTechclick ⚡ XP 0% All lessons
Darktrace · AI NDR · Email SecurityInteractive · L1 / L2 / L3

Darktrace / EMAIL — Self-Learning AI Against Phishing, BEC & Takeover

A Secure Email Gateway blocks what is already known to be bad. The attacks that actually land — spear-phishing, CEO fraud, account takeover, a supplier whose account was hijacked — are brand new and look clean. Darktrace / EMAIL learns the normal 'pattern of life' for every user and every relationship, then flags and acts on the email that deviates, even with no signature to match.

📅 2026-06-19 · ⏱ 16 min · 5 infographics · live email demo · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

A clear, interactive guide to Darktrace / EMAIL (2026): how Self-Learning AI learns the normal communication 'pattern of life' for every user and relationship, catches the never-seen-before threats that Secure Email Gateways miss — spear-phishing, business email compromise, account takeover and supply-chain attacks — and takes proportionate, email-level actions instead of quarantine-all.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

Why SEGs miss

Email is #1; gateways only catch known-bad.

 2

Self-Learning AI

Learning each user and relationship's normal.

 3

Threats & actions

BEC, takeover, supply-chain; proportionate response.

 4

Integrate & correlate

M365/Google API, complement-or-replace, platform.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. Why does a Secure Email Gateway miss a brand-new BEC email?

Answered in Why SEGs miss.

2. What does Darktrace / EMAIL actually learn?

Answered in Self-Learning AI.

3. Instead of quarantine-all, what can Darktrace do to one risky email?

Answered in Threats & actions.

Most engineers think…

Most people assume email security means 'a gateway that blocks spam and known-bad links'. That mental model is exactly why BEC and account takeover keep landing.

A Secure Email Gateway (SEG) works on known-bad — reputation, signatures, blocklists. The attacks that actually cost money are never-seen-before and context-based: a first-time sender on a slightly-off domain asking finance to change bank details, a novel zero-day link, a trusted supplier whose account was hijacked. Each part looks clean to a SEG. Darktrace / EMAIL takes the opposite approach: it learns the normal pattern of life for every user and every relationship with Self-Learning AI and flags the email that deviates — then acts proportionately on that one email rather than quarantining everything.

① Why email is the #1 attack vector — and what SEGs miss

Email is still the number-one way attackers get in. It is the cheapest, most direct route to a human who can click a link, open an attachment, or wire money. So the real question is not 'do we have email security' — almost everyone runs a Secure Email Gateway — it is 'does it catch the attacks that actually land'.

A SEG works on known-bad: sender reputation, blocklists, signatures and attachment hashes. That stops bulk spam and previously-seen malware well. But the damaging attacks are novel and context-basedspear-phishing, business email compromise and a brand-new link with no bad reputation yet. To a SEG, a first-time sender asking finance to update bank details is individually 'clean': no signature, no blocklist hit. Nothing to match means nothing to stop.

Figure 1 — Secure Email Gateway vs Self-Learning AI
A SEG matches known-bad; Darktrace / EMAIL learns your normal and flags deviation — which is what catches novel and BEC attacks.Secure Email Gateway vs Self-Learning AISecure Email GatewayKnown-bad signaturesSender / link reputationBlocklists and hashesMisses never-seen-beforeDarktrace / EMAILLearns pattern of lifeAnomaly, not signatureCatches novel and BECContext-based detection
A SEG matches known-bad; Darktrace / EMAIL learns your normal and flags deviation — which is what catches novel and BEC attacks.
Quick check · Q1 of 10 · Understand

Why does a Secure Email Gateway miss a brand-new BEC email?

Correct: b. A SEG works on known-bad — signatures, blocklists and reputation. A first-time sender asking finance to change bank details with a novel link is individually 'clean' to it. No signature means nothing to stop.
👉 So far: Email is the #1 attack vector. A SEG matches known-bad (signatures, reputation), so novel spear-phishing, BEC and brand-new links pass — they are individually 'clean' with nothing to match.

② Self-Learning AI — learning each user's and relationship's pattern of life

Darktrace / EMAIL flips the model. Instead of asking 'is this on a known-bad list?', it asks 'is this normal for this person and this relationship?'. Using Self-Learning AI, it builds a pattern of life for every user and every correspondent pair.

What the pattern of life captures

The learned normal includes who emails whom, the usual tone and timing, and the links and attachments that are normal for that relationship. When an email deviates — a new sender address, a never-before-seen domain, an unusual request, a novel link — it is flagged as anomalous even with no known signature. The interview line: SEGs detect what is known-bad; Darktrace detects what is abnormal for you, which is how it catches the never-seen-before.

Figure 2 — What the pattern of life captures
Self-Learning AI models the normal communication for each user and relationship, then scores every email against it.What the pattern of life capturesWho emails whomSender, recipient and the normal relationshipTone and timingUsual style, language and send patternsLinks and attachmentsWhat content is normal for that pair
Self-Learning AI models the normal communication for each user and relationship, then scores every email against it.
🧠
Self-Learning AI
tap to flip

AI that learns the normal baseline from your own environment and flags deviation — instead of matching known-bad signatures and reputation.

🔁
Pattern of life
tap to flip

The learned normal communication for each user and relationship — who emails whom, tone, timing, and the links and attachments that are normal.

💸
Business Email Compromise
tap to flip

Impersonation fraud (CEO, supplier) aimed at payments or data — usually payload-less, so a known-bad SEG has nothing to match.

🎯
Proportionate action
tap to flip

Email-level response sized to risk — hold or junk, neutralise a link, convert an attachment, or flag — instead of quarantine-all.

Say 'abnormal for you', not 'known-bad'

In an interview, contrast the two models in one line: a SEG detects what is known-bad (signatures, reputation); Darktrace detects what is abnormal for this user and relationship (the learned pattern of life). That single distinction is why it catches the never-seen-before.

Quick check · Q2 of 10 · Remember

What does Darktrace / EMAIL's Self-Learning AI actually learn?

Correct: a. Self-Learning AI builds a per-user and per-relationship baseline of normal communication, then flags emails that deviate — no known signature required. That is how it catches the never-seen-before.
👉 So far: Darktrace / EMAIL uses Self-Learning AI to learn the normal pattern of life for every user and relationship — who, tone, timing, links, attachments — and flags deviation even with no known signature.

③ The threats it stops — and proportionate, email-level actions

Because detection is anomaly-based, Darktrace / EMAIL targets exactly the threats that slip past a gateway: spear-phishing, business email compromise (BEC) / CEO fraud, account takeover, payload-less social engineering, novel and zero-day links, and supply-chain attacks where a trusted partner's compromised account emails you.

Action sized to the risk

Crucially, it does not just 'quarantine everything'. It acts at the level of the individual email and chooses a response proportionate to the risk: hold or junk the message, neutralise (rewrite or lock) a malicious link so it cannot be clicked, strip or convert a risky attachment, or simply flag a borderline email. Safe mail keeps flowing; only the risky element is contained. That is the difference between security that helps the business and security that blocks it.

Figure 3 — Threats Darktrace / EMAIL stops
Anomaly-based detection targets the context-based and never-seen-before attacks that bypass a SEG.Threats Darktrace / EMAIL stopsSelf-Learning AIanomaly detectionSpear-phishingBEC / CEO fraudAccount takeoverNovel linksSupply-chainSocial engineering
Anomaly-based detection targets the context-based and never-seen-before attacks that bypass a SEG.
Figure 4 — From anomalous email to proportionate action
An email is scored against the learned normal, then the action is sized to the risk — not a blanket quarantine.From anomalous email to proportionate actionIngestemail via M365 / GWSAPIComparevs pattern of lifeScorehow anomalous?Acthold / neutralise /flagCorrelateCyber AI Analyst
An email is scored against the learned normal, then the action is sized to the risk — not a blanket quarantine.

Meera Nair, finance exec at Sundar Textiles Pvt. Ltd., Coimbatore

An email that looks like it is from a regular supplier asks to 'update our bank account for this month's payment' and links to a page to confirm details. The SEG passed it.

Likely cause

A BEC / supplier-impersonation attempt — a first-time sender on a slightly-off domain making an unusual financial request with a novel link. Nothing is known-bad for the SEG to catch.

Diagnosis

Open the email's model breakdown in Darktrace / EMAIL: it is anomalous against the learned pattern of life for that supplier relationship — new sender address, never-before-seen domain, unusual 'change bank details' ask and a novel link.

Darktrace / EMAIL ▸ email model breakdown ▸ relationship history
Fix

Darktrace holds the email out of Meera's inbox and neutralises the link so it cannot be clicked, while flagging it for the security team — proportionate to the risk, not a blanket quarantine.

Verify

Meera never sees the lure. The team confirms in Cyber AI Analyst that no related login or network anomaly followed, so there was no account takeover.

Quarantine-all is not 'good security'

Over-blocking with a blanket quarantine breaks the business and trains users to ignore alerts. The point of proportionate action is to contain only the risky element — neutralise the link, convert the attachment — and still deliver safe mail. Always frame the action as sized to the risk.

▶ Watch a BEC 'change bank details' email get caught

How one supplier-impersonation email is judged end-to-end. Press Play for the healthy path, then Break it to see the classic SEG failure.

① Email arrivesMeera in finance receives an email from a 'supplier' — a first-time sender on a slightly-off domain — asking to update the bank account, with a link to confirm.
② Compare to normalDarktrace / EMAIL compares it to the learned pattern of life for that supplier relationship: who normally writes, the usual request, the normal links.
③ Score anomalousIt deviates sharply — new sender, never-seen domain, unusual financial request, novel link — so it is scored highly anomalous, with no signature needed.
④ Hold + neutraliseDarktrace holds the email out of the inbox and neutralises the link so it cannot be clicked, and flags it for the security team — before Meera can act.
Press Play to step through the healthy catch. Then press Break it.
Quick check · Q3 of 10 · Apply

A finance user gets a risky email with one malicious link, but the rest of the message is benign. What is the proportionate action?

Correct: c. Darktrace acts at the individual email and sizes the action to the risk. Neutralising just the link contains the threat while safe mail keeps flowing — that beats quarantine-all, which blocks the business.
👉 So far: It stops spear-phishing, BEC, account takeover and supply-chain attacks, and acts on the individual email proportionately — hold/junk, neutralise links, convert attachments, or flag — not quarantine-all.

④ Integration, complement-or-replace, and platform correlation

Darktrace / EMAIL connects to Microsoft 365 and Google Workspace via API — not just as an inline MX-record gateway. That means you can deploy it to complement an existing SEG (run them side by side) or replace a legacy gateway entirely, without a risky hard cutover.

It is part of a platform

Because email is one coverage area of the wider Darktrace platform, an email anomaly can be correlated with network and identity anomalies in Cyber AI Analyst — for example, a mailbox compromised by phishing that then logs in oddly and moves laterally. The pitfalls to call out: relying only on a SEG for novel and BEC threats; not connecting email to the rest of the platform, so you miss the takeover that follows; and over-blocking with quarantine-all instead of proportionate actions.

Figure 5 — Complement a SEG vs replace it
API deployment means you can run Darktrace / EMAIL alongside a legacy gateway or in place of it — no hard MX cutover.Complement a SEG vs replace itComplement a SEGRun side by sideSEG handles bulk spamDarktrace catches novel and BECLowest-risk first stepReplace the SEGSingle email controlAPI to M365 / GoogleSelf-Learning AI as primaryFewer moving parts
API deployment means you can run Darktrace / EMAIL alongside a legacy gateway or in place of it — no hard MX cutover.
Prove the takeover did NOT follow

Do not close a phishing incident at 'the email was held'. Check Cyber AI Analyst for related identity and network anomalies — an odd login, a new forwarding rule, lateral movement. The correlated view confirms there was no account takeover, instead of assuming it.

Quick check · Q4 of 10 · Analyze

Why does it matter that Darktrace / EMAIL is part of a wider platform rather than a standalone email filter?

Correct: d. A standalone filter stops at the inbox. Because email is one coverage area of the platform, a compromised mailbox can be tied to odd logins and lateral movement in Cyber AI Analyst — the full attack story, not just one email.
👉 So far: It connects to M365 and Google Workspace via API to complement or replace a SEG, and correlates email anomalies with network and identity in Cyber AI Analyst. Pitfalls: SEG-only, no platform link, over-blocking.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

Self-Learning AI in Darktrace / EMAIL detects threats primarily by:

Correct: a. It builds a per-user and per-relationship baseline and flags anomalies — no known signature required. That is what catches the never-seen-before attacks a SEG misses.
Q6 · Understand

Why do Secure Email Gateways miss BEC and novel-link attacks?

Correct: b. A SEG works on known-bad. A first-time sender, an off domain and a brand-new link are each individually 'clean', so there is nothing for the SEG to match.
Q7 · Apply

A trusted supplier's account is hijacked and emails you a malicious invoice. What kind of threat is this, and who is positioned to catch it?

Correct: b. A trusted partner's compromised account is a supply-chain attack. The address may pass reputation checks, but the unusual request and content deviate from the learned normal for that relationship, so Darktrace flags it.
Q8 · Analyze

What is the advantage of a proportionate, email-level action over quarantine-all?

Correct: c. Acting at the individual email and sizing the response to risk (neutralise link, convert attachment, hold or flag) keeps legitimate mail flowing. Quarantine-all blocks the business and trains users to ignore alerts.
Q9 · Evaluate

An interviewer asks how Darktrace / EMAIL fits with an existing Secure Email Gateway. Best answer?

Correct: b. API deployment means you can run it alongside a legacy gateway (complement) or in place of it (replace) without a risky MX-record cutover. That flexibility is a key selling point.
Q10 · Evaluate

Which is the strongest reason to connect Darktrace / EMAIL to the rest of the platform?

Correct: c. A standalone filter stops at the inbox. Correlating email with network and identity in Cyber AI Analyst ties a phish to the odd login and lateral movement that follow — catching the takeover, not just the email.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: why does Darktrace / EMAIL catch a BEC attack that a Secure Email Gateway passes? Then compare with the expert version.

Expert version: Because a SEG only knows 'known-bad' — signatures, reputation, blocklists — and a BEC email is brand new and individually clean: a first-time sender on an off domain making an unusual financial request with a novel link, nothing to match. Darktrace / EMAIL instead learns the normal pattern of life for that user and that supplier relationship with Self-Learning AI, so the same email scores as highly anomalous (wrong sender, wrong request, novel link). It then acts proportionately on that one email — holding it and neutralising the link — and, because it is part of the platform, can correlate it with any identity or network anomaly in Cyber AI Analyst to confirm whether account takeover followed.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

Self-Learning AI
AI that learns the normal baseline from your own environment and detects deviation, with no known-bad signatures required.
Pattern of life
The learned normal communication for each user and relationship — who emails whom, tone, timing, and the normal links and attachments — used to score every email.
Secure Email Gateway (SEG)
A traditional email filter that blocks known-bad senders, links and attachments using reputation and signatures; misses never-seen-before attacks.
Business Email Compromise (BEC)
Impersonation fraud (CEO or supplier) aimed at payments or data, often payload-less, so a known-bad filter has nothing to match.
Account takeover (ATO)
An attacker gaining control of a legitimate user's mailbox or identity, then abusing the trust it carries.
Spear-phishing
A targeted phishing email tailored to a specific person or role, rather than bulk spam.
Supply-chain attack
Abuse of a trusted partner's compromised account to reach you with an email that passes reputation checks.
Link neutralisation
Rewriting or locking a suspicious link so it cannot be clicked, while still delivering the safe parts of the message.
Cyber AI Analyst
Darktrace's automated investigation that correlates anomalies across email, network and identity into a single incident story.

📚 Sources

  1. Darktrace — Darktrace / EMAIL product page. darktrace.com/products/email
  2. Darktrace — Self-Learning AI: how it learns normal and detects deviation. darktrace.com
  3. Darktrace — Stopping business email compromise (BEC) and account takeover. darktrace.com
  4. Darktrace — Cyber AI Analyst: cross-domain autonomous investigation. darktrace.com/cyber-ai-analyst
  5. Microsoft Learn — Anti-phishing and email authentication in Microsoft 365 (Defender for Office 365). learn.microsoft.com
  6. Verizon — Data Breach Investigations Report: email as a top initial-access vector. verizon.com/dbir

What's next?

Got email covered? Next, see how Darktrace extends the same Self-Learning AI to the cloud and to identity — watching SaaS, IaaS and user logins so a compromised account caught in email can be traced wherever it tries to go next.

Next · All interview lessons → Practice on exam.techclick.in →