Email security has always been a game of cat and mouse. Viruses are invented, and Antivirus software is invented to catalog known viruses and detect their presence in email attachments and URLs. As viruses have evolved into more sophisticated forms of malware, cybersecurity tools have adapted to be able to analyze and detect these new threats. Phishing has become the next area, giving rise to new tools as well as a whole new category of defense known as security awareness training. NOW, Bad guys attack AI agents to bypass current security guardrails.
“AI assistants, co-pilots and agents significantly expand the enterprise attack surface in ways that traditional security architectures were not designed to handle,” said Todd Thiemann, cybersecurity analyst at research firm Omdia.
Learn about a series of AI-driven features for Proofpoint Prime Threat Protection that were showcased at the company’s Proofpoint Protect 2025 event in September. They thwart hackers’ efforts to circumvent the actions of AI agents by scanning potential threats before emails arrive in an inbox.
Traditional approach to email security
Most email security tools are designed to detect known bad signals such as suspicious links, fake domains that look real, or attachments containing malware. This approach works well against conventional phishing, spam, and known exploits. But cybercriminals are now going after the many AI assistants and agents embedded in the workplace.
They do this by leveraging prompts (questions or commands in the form of text or code) that guide AI models and AI agents to produce relevant responses or perform certain tasks. Increasingly, emails contain hidden, malicious prompts that use invisible text or special formatting designed to trick generative AI tools such as Microsoft Copilot and Google Gemini into taking dangerous actions, such as exfiltrating data or bypassing security controls.
“Rapid injections and other AI-targeted exploits represent a new class of attacks that use text-based payloads that manipulate machine reasoning rather than human behavior,” Thiemann said.
Daniel Rapp, head of AI and data at Proofpoint, provided an example: The standard used for email known as RFC-822 defines the use of headers, plain text, and HTML. All of this is not visible to a user. Attackers take advantage of this by embedding instructions in messages that are invisible to humans but fully readable by an AI agent. When the AI processes the text, the built-in instructions are inadvertently executed. This may result in data exfiltration or altered or corrupted system behavior. Old filters looking for malware or malformed links don’t see anything wrong.
Daniel Rapp, Director of AI and Data at Proofpoint.Point of proof
“In recent attacks, we have seen cases where the HTML and plain text versions are completely different,” Rapp said. “The email client renders the HTML version while the invisible plain text contains a quick injection that can be picked up and optionally processed by an AI system.”
There are two reasons why this strategy is effective: First, IIf an AI assistant has access to an inbox, it can automatically respond to an email as soon as it arrives. Second, Rapp said the literal nature of AI agents makes them vulnerable to phishing and other social engineering tricks. A human might think twice before sending money to a Nigerian bank account. An AI agent can blindly execute a command in this direction.
What sets the Proofpoint approach apart is that the company analyzes emails before they arrive in inboxes. There was a lot of practice. The company analyzes 3.5 billion emails every day, a third of the global total. Additionally, it scans nearly 50 billion URLs and 3 billion attachments daily. This is done inline, that is, while the email passes from the sender to the recipient.
“We’ve placed sensing capabilities directly in the delivery path, which means latency and efficiency are key,” Rapp said.
This necessary level of speed is achieved by training smaller AI models specifically on detection, based on examples and fundamental knowledge from a large language model (LLM). For example, OpenAI’s GPT-5 is estimated to have up to 635 billion parameters. Going through this amount of data for each email is not feasible. Proofpoint has refined its models to around 300 million parameters. It distills and compresses its models to achieve low-latency online performance without sacrificing detection fidelity. It also updates these models every 2.5 days to be able to effectively interpret the intent of the message itself, not just look for indicators. This way, it detects hidden rapid injections, malicious instructions and other AI exploits before they are delivered.
“By stopping attacks before delivery, Proofpoint prevents user compromise and AI exploitation,” Rapp said. “Our secure email gateway can see emails and block threats before they reach the inbox. »
Additionally, Proofpoint uses an ensemble detection architecture. Instead of relying on a single detection mechanism, it combines hundreds of behavioral, reputation, and content-based signals to bypass attack vectors that could bypass one method.
AI is changing the security game
AI agents are being deployed across the enterprise and consumer landscape. Unfortunately, the rush to harness the potential of AI often relegates security to the back burner. The bad guys know it. Using AI, their cybercrime techniques and technologies are perfecting the art of phishing in the age of AI agents.
“Security tools must evolve from detecting known bad indicators to interpreting the intentions of humans, machines and AI agents,” Thiemann said. “Approaches that identify malicious instructions or manipulative prompts before delivery, ideally using distilled AI models for low-latency in-line protection, fill a significant gap in current defenses. »
Proofpoint is ahead of the pack with these capabilities. Expect other cybersecurity vendors to follow suit in the coming months. But until then, what other AI-borne threat will emerge?
From the articles on your site
Related articles on the web
