The budget conversation about email security has been the same for twenty years. The security leader asks for money to block threats. The CFO asks why the existing tools are not enough. The real risk, meanwhile, has moved somewhere neither question covers.

The threat your company faces from email in 2026 runs through your own AI tools. A carefully crafted email arrives. Your AI assistant reads it. Hidden inside the message are instructions telling the assistant to find sensitive files and send them to the attacker. The employee never clicks anything. The AI does the work.

This is not a future risk. It is a documented, patched vulnerability that exposed tens of millions of business users in 2025 and into 2026.

For most of the last two decades, email security was a filtering problem. A dangerous message arrives. The filter checks it against a list of known bad patterns. If it matches, it gets blocked. If it does not, it reaches the inbox and the employee decides what to do with it.

That model assumed the threat stopped at the inbox. Attackers figured out how to make messages look legitimate, so filters started using machine learning to catch social engineering. The industry called this Integrated Cloud Email Security, a category of tools that connect directly to Microsoft 365 or Google Workspace via a software connection rather than rerouting mail through a separate system. No changes to email routing required. Deploys in minutes.

These tools can also pull a dangerous message back out of an inbox after delivery, a capability called clawback. A message lands, the system catches it a few seconds or minutes later, and removes it before the employee acts on it. Think of it as a product recall for email.

All of this is sound. And all of it was designed before companies started giving AI assistants access to their inboxes.

In June 2025, security researchers at Aim Security disclosed a vulnerability in Microsoft 365 Copilot, the AI assistant built into the company's business software used by more than 400 million people worldwide. The vulnerability, assigned a critical severity score of 9.3 out of 10, worked like this.

An attacker sends your employee a normal-looking email. Your employee has Copilot enabled. When Copilot reads the inbox to summarize messages or answer questions, it processes that email. Hidden inside the email are instructions, invisible to the human reader, telling Copilot to find sensitive files and send them to the attacker. Copilot follows the instructions. Your employee never opened a suspicious attachment, never clicked a bad link, never did anything wrong. The AI assistant, acting on behalf of the employee, did the work.

The reason this works is architectural. AI assistants do not distinguish between instructions from their owners and instructions embedded in content they are asked to read. To Copilot, an email is text. Text contains instructions. The assistant follows instructions. There is no native mechanism to mark one source of text as trusted and another as untrusted.

Researchers at Permiso Security found a second version of the same class of attack in early 2026, this time affecting Copilot's email summarization feature. Attackers embedded fake security alerts inside emails. When Copilot summarized the message for the employee, the summary showed the attacker's content, presented as a system notification from the AI tool itself. Users trusted the summary because it appeared to come from the assistant, not the email.

Microsoft patched both vulnerabilities. The underlying architectural problem, that AI tools cannot reliably separate trusted instructions from untrusted content, remains unsolved across the industry. Every AI assistant that reads external email carries a version of this exposure.

Attackers are running the same playbook in reverse. AI now composes phishing messages personalized enough to read as internal company communications, referencing your employee's actual manager, actual project, actual writing style, pulled from public sources or a previously compromised account. The typo-laden wire transfer request is not the model anymore.

Barracuda Networks published research in May 2026 based on analysis of more than 3.1 billion emails showing that 48% of all malicious email activity is now phishing (Barracuda Networks; 2026). A single phishing email in their red team testing moved from initial delivery to identity theft, bypassed two-factor authentication, and reached the employee's endpoint in minutes (Barracuda Networks; 2026). The filter at the front door was not the deciding factor. Speed was.

Agentic AI attacks take this further. Where an AI writing tool gives an attacker a better message, an agentic AI system gives the attacker an autonomous collaborator that plans the attack, sends the message, monitors responses, adapts based on what happens, and moves to the next step without human involvement. The attacker sets a goal. The system figures out how to reach it.

Most security budget requests sound the same: threats are getting worse, the current tools are not enough, here is the number. A CFO hears that framing across every category, every cycle. The response is skepticism because the framing provides no way to evaluate the specific risk or compare it against the cost of doing nothing.

The cost comparison is one a CFO can evaluate. The average cost of a business email compromise incident runs into the hundreds of thousands of dollars before legal, regulatory, and reputational consequences are counted. Barracuda's data shows 34% of companies experience at least one account takeover per month (Barracuda Networks; 2026). Account takeover is monthly operational risk, not a rare event. The annual cost of a modern email security tool at most company sizes is a fraction of a single incident.

For organizations already running multiple tools, there is a consolidation argument worth making. Many companies paying for an older-style email gateway alongside Microsoft's built-in security are paying for duplicated coverage. A newer API-connected tool that replaces the legacy gateway, extends protection post-delivery, and works across both Microsoft 365 and Google Workspace can cost less in total while closing gaps the older tools were not designed to address. That framing gives the CFO a path to yes rather than a request to spend more.

Barracuda and KnowBe4 have landed on different answers to where the durable risk sits, and the difference is worth understanding before buying either.

Barracuda's June 2026 launch of Integrated Email Protection reflects a bet that the problem is response speed. Their product uses AI agents that watch email, identity signals, network activity, and application behavior simultaneously, correlate them in real time, and act without waiting for a human analyst to log in and approve each decision. When a threat is detected post-delivery, the system pulls the message from every mailbox across the organization automatically. For companies served by managed service providers handling dozens of clients simultaneously, automation at that scale is the only workable model.

KnowBe4 takes a different position. Their product, called Defend, operates from the premise that the most persistent vulnerability is human behavior, and that removing threats silently trains nobody. Defend uses every dangerous email that reaches an employee as a teaching moment, showing the employee what made the message suspicious and why. Their May 2026 expansion extended this approach into Microsoft Teams, covering the gap between email protection and the collaboration tools where attacks increasingly land.

These are not competing claims about which product has better detection. They are different theories about where the durable risk sits. Barracuda argues that human response is too slow for the current threat speed, so the system should act autonomously. KnowBe4 argues that employees who understand attacks are a better long-term defense than systems that hide attacks from view.

The right choice turns on one operational question: does your organization have staff who can use security training to change employee behavior over time, or does it need a system that acts before any employee is involved? Most mid-market companies served through managed service providers fall into the second category. That is the market Barracuda is building for.

Microsoft patched EchoLeak. Permiso Security's vulnerability in email summarization was patched by March 2026. A third vulnerability in Copilot Studio was patched in January 2026. Each patch addressed a specific technical flaw.

The underlying condition that made all three possible has not been patched, because it cannot be patched. AI tools that process external content, which is most AI tools deployed in business, operate on the same stream of text as the content they are asked to read. Instructions and content look identical to the model. An attacker who can put text in front of an AI assistant can attempt to instruct it. The sophistication of the attack determines whether the attempt succeeds, and attack sophistication is increasing faster than defensive guardrails.

The Cisco State of AI Security 2026 report documents the gap between how fast organizations are deploying AI tools and how prepared they are to secure them. The question worth asking internally: does your organization know which AI tools have access to your inboxes, what those tools are permitted to do after reading a message, and whether anyone has tested what happens when that message contains instructions rather than information?

Every AI tool connected to a company inbox expands what an attacker can do with a single well-crafted email.