Email security has always been a cat-and-mouse game. Viruses are invented, and antivirus software is invented to catalog known viruses and detect their presence in email attachments and URLs. As viruses morphed into more sophisticated forms of malware, cybersecurity tools adapted to be able to scan for and detect these new threats. Phishing became the next arena, giving birth to new tools as well as a whole new category of defense known as security awareness training. Now, the bad guys are attacking AI agents to bypass current security guardrails.
“AI assistants, copilots, and agents significantly expand the enterprise attack surface in ways that traditional security architectures were not designed to handle,” said Todd Thiemann, a cybersecurity analyst at research firm Omdia.
Enter a series of AI-based features for Proofpoint Prime Threat Protection that were introduced at the company’s Proofpoint Protect 2025 event in September. They thwart the efforts of hackers to subvert the actions of AI agents by scanning for potential threats before email messages arrive at an inbox.
Traditional Approach to Email Security
Most email security tools are designed to spot known bad signals like suspicious links, fake domains that look real, or attachments carrying malware. This approach works well against conventional phishing, spam, and known exploits. But cybercriminals are now going after the many AI assistants and AI agents that have become embedded in the workplace.
They do this by taking advantage of prompts (questions or commands in text or code form) that guide AI models and AI agents to either produce relevant responses or execute certain tasks. Increasingly, emails carry hidden, malicious prompts that use invisible text or special formatting designed to trick generative AI tools like Microsoft Copilot and Google Gemini into taking unsafe actions, such as exfiltrating data or bypassing security checks.
“Prompt injections and other AI-targeted exploits represent a new class of attacks that use text-based payloads that manipulate machine reasoning rather than human behavior,” said Thiemann.
Daniel Rapp, Chief AI and Data Officer at Proofpoint, provided an example: The standard used for email messages known as RFC-822 lays out the use of headers, plain text, and HTML. Not all of this is visible to a user. Attackers take advantage of this by embedding instructions in messages that are invisible to humans but fully readable by an AI agent. When AI processes the text, the embedded instructions are inadvertently executed. This can lead to data being exfiltrated or system behavior being altered or corrupted. Legacy filters looking for malware or malformed links see nothing amiss.
Daniel Rapp, Chief AI and Data Officer at Proofpoint. Proofpoint
“In recent attacks we are seeing cases where the HTML and plain text version are completely different,” said Rapp. “The email client renders the HTML version while invisible plain text contains a prompt injection that can be picked up and possibly acted on by an AI system.”
... continue reading