Doppel Named Official Partner of the New York Knicks
Partnership to Showcase Doppel to Knicks Widespread Audience Through In-Arena, Digital and Out-Of-Home Assets
AI email security explained — why most "AI" inbox tools still only score the message, and how agentic detection grounded in attacker infrastructure defends the whole five-stage attack chain.

Generative AI changed the attacker's side of the inbox first. It can turn slow, error-prone phishing into polished, personalized lures produced at higher speed, and vendors now label a wave of tools "AI email security" to meet them. Many of those tools do one thing well: they score the message after it lands.
Attackers build the campaign outside the inbox. They register a lookalike domain before the phish sends, then may clone an executive's profile. The same preparation can extend to the helpdesk, where a caller uses a prepared script. Much of that activity sits outside the view of a tool that reads only the inbox.
That gap is why business email compromise and account takeover keep landing against teams that secure the inbox and stop there. AI-automated phishing emails achieved click-through rates of 54%, compared with 12% for standard phishing attempts. Inbox scoring covers the Contact stage. Agentic detection connects the message to attacker infrastructure and the takedown workflows around it, across email and adjacent channels.
AI email security uses machine learning and AI agents to detect and respond to email-borne social engineering that signature- and rule-based filtering misses, including investigation after detection. The category spans behavioral scoring inside the inbox all the way to agentic detection that ties each message to the attacker infrastructure behind it.
Understanding where a given tool sits on that span is the difference between scoring the message and disrupting the attack. At the agentic end of the span, AI agents triage alerts and trigger remediation so security teams spend less time catching up on each new threat.
AI email security catches what rule-based filtering cannot: messages with no flagged link, no malicious attachment, and no signature to match. Rule-based filtering operates on defined logic: block this sender, flag that attachment type, quarantine messages from domains that fail authentication.
That logic works against known-bad indicators and breaks against anything new. A brand-new phishing template or a clean-text business email compromise message that instructs a finance clerk to wire money lacks a flagged link or malicious attachment, so it can look like ordinary business mail to a static gateway.
AI changes the detection question. Behavioral systems build profiles for senders, map relationships and communication cadence, then ask whether a given message is normal for that sender to send. That shift evaluates intent and context beyond database matching, which is what catches BEC and impersonation a rule-based filter misses.
AI email security layers on top of the protection already running on your mail. Native provider filtering and gateway signatures handle known threats efficiently, and that layer stays in place.
AI-native tools deploy on top via API to Microsoft 365 and Google Workspace and catch the AI-generated lures, BEC, and impersonation that bypass the layers beneath them, without MX record changes or mail flow rewrites.
Generative AI changed the attacker's economics. The slow, error-prone craft of a convincing phishing email can collapse into a task an attacker completes quickly, and the defender's filter could not keep matching signatures against a threat that no longer repeats itself.
The spelling and grammar errors that once gave phishing away no longer carry the signal they once did. Threat actors use AI to clean up awkward phrasing caused by language barriers and to write spear-phishing emails with more polish and fluency.
The longstanding advice security awareness programs gave, watch for typos, no longer applies on its own.
Attackers use generative tools to vary phishing messages enough that sender details and content structure do not repeat cleanly across a campaign. When messages vary that way, defenders lack a reliable fingerprint to add to a blocklist.
Analyst teams then have to match the volume, speed, and evasiveness AI can amplify, the conditions that pushed detection toward reasoning systems.
Email detection advanced through three generations, and each caught more than the last. Block-lists and reputation came first, then gateway signatures and sender history, then AI-native behavioral scoring. Some API-based tools read the message after it lands, while native filters and gateways scan before delivery.
The shared limit is campaign scope: these layers evaluate the Contact stage without seeing the infrastructure attackers build before the email sends.
The first generation works off observed behavior and community feedback. Native provider protections decide whether to accept, quarantine, or reject mail based on malicious URLs, infected attachments, and blocklisted sender IPs. That is the floor later layers build on.
These controls depend on having seen the threat before, so a brand-new lookalike domain stays untouched until someone gets hit first.
The second generation, the secure email gateway, sits between the mail server and the outside world and scans messages against databases of known malware signatures and phishing URL patterns. Gateways handle conventional threats effectively, yet they can struggle with attacks that bypass payload-based detection.
Some gateway-bypassing attacks send from compromised legitimate accounts, where reputation-based detection can fail outright. A purely linguistic BEC message with no payload, sent from a properly authenticated domain, passes signature inspection without resistance.
The third generation uses machine learning for behavioral analysis and natural language processing (NLP) to stop phishing, BEC, and impersonation by analyzing behavior, intent, and communication patterns in real time. These tools deploy via API to Microsoft 365 and Google Workspace and sit alongside native email tools without mail-flow rewrites.
Whether they scan before or after delivery, these tools evaluate the Contact stage. The campaign that produced the email remains untouched. That is the limit no generation of inbox scoring has crossed.
The email in the inbox is one move in a campaign mapped across five stages. It runs from Setup, where attackers register lookalike domains and build deepfake personas, through Launch, Contact, Engagement, and Compromise.
The infrastructure attackers build during Setup and Launch, and their pivot into voice, SMS, and chat at Engagement, sit outside the view of a tool that only reads mail:
The work starts before any email sends, outside an inbox tool's view. Attackers register lookalike domains using homoglyphs or alternate TLDs and acquire infrastructure for phishing pages.
They can also stand up fake personas to pose as recruiters or vendors. Attackers acquire domains for targeting and create fake email accounts for social engineering and impersonation.
Attackers bring staged infrastructure online next. The lookalike domains acquire credential-harvesting pages, and attackers load phishing kits onto hosted infrastructure. The delivery path can extend across email and adjacent channels such as SMS or social ads.
The email lands, and for the first time the inbox tool has something to evaluate. The behavioral model scores the sender and the NLP engine reads the language to reach a verdict on the message in front of it.
The verdict can be accurate within that boundary, and that boundary covers one stage of five.
The lure works by manufacturing urgency, then the campaign can pivot off email into a vishing call, an SMS lure, chat, social channels, or an MFA-prompt sequence such as a fatigue attack. Attackers increasingly deliver phishing beyond email into IM, social media, malicious ads, and trusted apps, with attacks outside email bypassing the work inbox entirely.
The campaign ends in financial theft, credential use, payment manipulation, or account control. At that point, the damage sits downstream of email-content scoring.
Agentic AI is the generation that closes the gap. The shift is architectural. Earlier generations were not designed to see the campaign behind the email, so adding a stronger signature or a sharper behavioral model leaves that structural blind spot in place. Agentic detection expands beyond the inbox by tying verdicts to external attacker infrastructure and linking confirmed phish to investigation and takedown workflows.
Agentic detection ties a suspicious inbox message to the infrastructure behind it. An agentic system inspects a message against attacker infrastructure already mapped through DNS and certificate data, plus multi-channel indicators. That context surfaces attacks targeting your vendors and customers across the supply chain before those campaigns reach a mailbox.
Because the verdict draws on infrastructure as well as message content, it also gives security teams more context around AI-generated lures that have no behavioral baseline. Inbox controls rely on having seen the threat before, which is why most phishing attacks feel novel. Grounding the verdict in pre-email infrastructure moves detection upstream of that constraint.
Attack volume can grow faster than headcount, and agentic investigation closes that gap. AI agents triage reported and detected phish, correlate them with infrastructure, classify them, then remediate or escalate. Routine cases stay out of the human queue while novel or escalated cases route to analysts.
Agents run detection on readable policies a security team can audit and tune, including for board review.
Autonomy without explanation is its own risk. Feeding raw alerts to an agent that decides without visible reasoning produces decisions no one can audit. Plain-language policy keeps human judgment in the loop on complex escalations while agents clear the routine queue at machine speed.
Detection that stops at a verdict leaves the attacker in place. Agentic disruption coordinates takedown of the sending infrastructure and malicious links behind a confirmed phish, so the same campaign cannot retarget the organization. Raising the rebuild cost shifts the attacker's calculus: when rebuilding costs more than the campaign earns back, attackers move toward easier targets.
A behavioral tool tells you a message is anomalous and quarantines it. Dismantling the infrastructure behind it cuts into the campaign at its source.
Doppel is the AI-native Social Engineering Defense platform that unifies Digital Risk Protection and Human Risk Management. Email Security is the pre-launch / waitlist third pillar, with general availability targeted for later in 2026. Doppel designed the email layer to defend the whole attack chain. Inbox detections will draw on the Threat Graph, the external intelligence engine that maps attacker infrastructure across domains, social, ads, telco, and more.
Agentic investigation will classify and explain each verdict in plain-language policy a SOC can read and tune, and when agents confirm a phish, they will coordinate takedown of the sending infrastructure and malicious links behind it.
The platform will convert a detected phish to an employee simulation, and the attacker infrastructure behind it will harden detection across the platform.
By April 2026, Doppel observed email emerging as a leading source of attacker activity against financial services and fintech brands, alongside social and messaging channels, in its threat intelligence brief, the precise multi-channel pattern an inbox-only tool cannot follow.
Security leaders should measure email defense by how much of the surrounding campaign it sees and disrupts. Inbox scoring alone is no longer the right yardstick. An email often marks the visible edge of a campaign attackers build across domains, profiles, and channels the inbox does not inspect. The teams that pull ahead will raise the cost of the whole attack until attackers decide the brand is too costly to attack and move on.
Agentic detection connects inbox detection to source-level disruption.Join the Email Security waitlist to see how agentic detection defends the whole attack chain.
