Cyber threat defense system protecting email networks with machine learning models using a range of metadata from observed email communications

What is claimed is: 1. A cyber threat defense system for a network including its email domain, comprising a computing device communicatively coupled to a set of computing devices, the computing device comprising: a first module configured to utilize a set of machine learning models as well as communicate with a cyber threat module, where the first module also is configured to receive information from a set of detectors to provide at least a range of metadata from observed email communications in the email domain; where the cyber threat module is configured to cooperate with the first module to analyze the range of metadata from the observed email communications, where the cyber threat module analyzes with the machine learning models trained on a normal behavior of email activity and user activity associated with the network and its email domain in order to determine when a deviation from the normal behavior of email activity and user activity associated with the network and its email domain is occurring; a mass email association detector configured to determine a similarity between two or more similar emails being i) sent from or ii) received by a collection of two or more individual users in the email domain in a simultaneous time frame, where one or more mathematical models are used to determine similarity weighing in order to derive a similarity score between compared emails, and an email layout change predictor module configured to detect anomaly deviations by considering at least a layout of the email, and where the email layout change predictor module utilizes one or more machine learning models that are trained and are configured to model and store a historical norm state of the layout of the email including at least a formatting of the email and a structure of an email body, where when any software instructions are implemented in any of the first module, the cyber-threat module, and the one or more machine learning models, then the software instructions are stored in an executable form in one or more memories and are configured to be executed by one or more processors. 2. The cyber threat defense system of claim 1 , further comprising: a mass email association module configured to determine a likelihood that two or more similar emails that are being i) sent from or ii) received by a collection of users in the email domain under analysis in the simultaneous time period, based on at least i) historical patterns of communication between those users, and ii) how rare the collection of users under analysis all would send and/or receive this similar email in roughly the simultaneous time frame, where the mass email association module uses the normal behavior of email activity and user activity associated with the network and its email domain to create a map of associations between users in the email domain to generate the likelihood that the two or more users would be included in the similar emails determined by the mass email association detector. 3. The cyber threat defense system of claim 1 , further comprising: one or more mathematical models are configured to determine similarity weighing in order to derive the similarity score between compared emails; and an email similarity scoring module configured to cooperate with the one or more mathematical models in order to compare an incoming email, based on a semantic similarity of multiple aspects of the incoming email to a cluster of different metrics derived from known bad emails to derive the similarity score between an email under analysis and the cluster of different metrics derived from known bad emails. 4. The cyber threat defense system of claim 1 , where the email layout change predictor module is further configured to analyze changes in the email layout of the email of the user in that email domain to assess whether malicious activity is occurring to an email account of that user, based on the changes in the email layout of the email deviating from the historical norm. 5. The cyber threat defense system of claim 4 , where the email layout change predictor module is further configured to detect the anomaly deviations by considering two or more parameters of the email selected from a group consisting of the layout of the email, the formatting of the email, the structure of the email body including any of content, language-usage, subjects, and sentence construction within the email body in order to detect a change in behavior of a sender of the email under analysis that is indicative of their email account being compromised. 6. The cyber threat defense system of claim 5 , where the email layout change predictor module is further configured to compare the historical norm state of the layout, the formatting, and the structure every time a new email is seen in order to check whether the new email diverges more than a threshold amount from the historical norm state. 7. The cyber threat defense system of claim 1 , further comprising: one or more bloom filters that are configured to provide a method of storing commonality data for any of i) domains, ii) hostnames, and iii) other information regarding observed in email traffic using the bloom filters and then being able to look up and retrieve that data, where the bloom filters are used to store intelligence known from the network about email traffic, all of which is stored in a compressed manner due to the nesting structure of the bloom filters. 8. The cyber threat defense system of claim 1 , further comprising: an image-tracking link detector configured to detect a tracking link based on visual properties of the tracking link as well as a purpose of any query parameters from that link. 9. The cyber threat defense system of claim 8 , further comprising: an image-tracking link module configured to cooperate with the image-tracking link detector to analyze the tracking link's properties that describe the tracking link's visual style and appearance accompanying the tracking link to detect whether the tracking link is intentionally being hidden as well as a type of query requests made by the tracking link, where the image-tracking link module is configured to determine whether this tracking link is a suspicious covert tracking link and then an autonomous response module is configured to take an autonomous action to remedy the tracking link when determined to be the suspicious covert tracking link while not stopping every email entering the email domain with a tracking link but merely emails with the suspicious covert tracking link. 10. The cyber threat defense system of claim 1 , where the cyber threat module is configured to receive an input from each of the following modules, which include: a mass email association module configured to determine a likelihood that two or more similar emails would be i) sent from or ii) received by a collection of users in the email domain under analysis in the simultaneous time period, where the simultaneous time period is equal to or less than a ten second difference in any of i) a time sent for each of the similar emails under analysis, and ii) a time received for each of the similar emails under analysis; an email similarity scoring module configured to compare an incoming email, based on a semantic similarity of multiple aspects of the incoming email to a cluster of different metrics derived from known bad emails to derive a similarity score between an email under analysis and the cluster of different metrics derived from known bad emails; an email layout change predictor module configured to analyze changes in an email layout of an email of a user in that email domain to assess whether malicious activity is occurring to an email account of that user, based on the change