Phishing with AI agents: Proofpoint’s new defense

Email security has always been a game of cat and mouse. Viruses are invented and Antivirus software was invented to catalog known viruses and detect their presence in email attachments and URLs. As viruses transformed into more sophisticated forms of malware, cybersecurity tools adapted to be able to scan and detect these new threats. Phishing became the next field, giving rise to new tools as well as an entirely new category of defense known as security awareness training. Now, Bad guys are attacking AI agents to bypass current security barriers.

“AI assistants, co-pilots and agents significantly expand the enterprise attack surface in ways that traditional security architectures were not designed to handle,” said Todd Thiemann, a cybersecurity analyst at the research firm. Omdia.

Enter a series of AI-based functions to Proofpoint Prime Threat Protection which were presented at the company’s Proofpoint Protect 2025 event in September. They thwart hackers’ efforts to subvert the actions of AI agents by scanning for potential threats before emails reach the inbox.

Traditional approach to email security

Most email security tools are designed to detect known bad signals, such as suspicious links, fake domains that look real, or attachments that contain malware. This approach works well against conventional phishing, spam, and known exploits. But cybercriminals are now going after the many AI assistants and agents that have been integrated into the workplace.

They do this by leveraging prompts (questions or commands in the form of text or code) that guide AI models and agents to produce relevant responses or execute certain tasks. Increasingly, emails contain hidden and malicious messages that use invisible text or special formatting designed to fool generative AI tools like Microsoft Copilot and Google Gemini to take unsafe actions, such as extracting data or bypassing security controls.

“Rapid injections and other exploits targeting AI represent a new class of attacks that use text-based payloads that manipulate machine reasoning rather than human behavior,” Thiemann said.

Daniel Rapp, director of AI and data at test pointprovided an example: the standard used for email messages known as RFC-822 establishes the use of headers, plain text and HTML. Not all of this is visible to a user. Attackers take advantage of this by embedding instructions in messages that are invisible to humans but completely readable to an AI agent. When the AI ​​processes the text, the embedded instructions are executed inadvertently. This can cause data to be exfiltrated or system behavior to be altered or corrupted. Legacy filters that look for malware or malformed links don’t see anything wrong.

Daniel Rapp, director of AI and data at test point.test point

“In recent attacks we are seeing cases where the HTML version and the plain text version are completely different,” Rapp said. “The email client displays the HTML version, while the invisible plain text contains a quick shot that an AI system can detect and possibly act on.”

There are two reasons why this strategy is proving effective: first,If an AI assistant has access to an inbox, it can automatically act on an email the instant it arrives. Second, Rapp said the literal nature of AI agents makes them susceptible to phishing and other social engineering tricks. A human might think twice before sending money to a Nigerian bank account. An AI agent could blindly execute an order to do so.

What sets Proofpoint’s approach apart is that the company scans emails before they reach inboxes. He’s had a lot of practice. The company scans 3.5 billion emails every day, a third of the world’s total. Additionally, it scans nearly 50 billion URLs and 3 billion attachments daily. This is done online, that is, as the email travels from the sender to the recipient.

“We’ve placed sensing capabilities directly into the delivery path, which means latency and efficiency are critical,” Rapp said.

This necessary level of speed is achieved by training smaller AI models specifically on detection, based on examples and the fundamental knowledge of a large language model (LLM). For example, OpenAI GPT-5 is estimated to have up to 635 billion parameters. It is not possible to analyze that amount of data in each email. Proofpoint has refined its models to reach around 300 million parameters. It distills and compresses its models to achieve low-latency online performance without sacrificing detection fidelity. It also updates those models every 2.5 days so it can effectively interpret the intent of the message itself, not just look for indicators. This way, it detects hidden fast injections, malicious instructions, and other AI exploits before they are delivered.

“By stopping attacks before delivery, Proofpoint prevents user compromise and AI exploitation,” Rapp said. “Our secure email gateway can view emails and stop threats before they reach your inbox.”

Additionally, Proofpoint uses a set detection architecture. Instead of relying on a single detection mechanism, it combines hundreds of behavior, reputation, and content-based signals to circumvent the attack vectors that could traverse a method.

AI changes the security game

AI agents are being deployed across the business and consumer landscape. Unfortunately, the rush to harness the potential of AI often relegates security to the background. The bad guys know it. They are enabling AI with their cybercrime techniques and technologies to perfect the art of phishing for the age of AI agents.

“Security tools must evolve from detecting known bad indicators to interpreting the intent of humans, machines and AI agents,” Thiemann said. “Approaches that identify malicious instructions or manipulative cues before delivery, ideally using distilled AI models for low-latency online protection, address an important gap in current defenses.”

Proofpoint is leading the way with the role these capabilities play. Expect other cybersecurity vendors to follow suit in the coming months. However, at that time, what other AI-borne threat will emerge?