Endpoint agent extension of a machine learning cyber defense system for email

What is claimed is: 1. An apparatus, comprising: an endpoint agent extension of a cyber defense system for email that includes two or more modules that are configure to cooperate with one or more machine learning models, comprising: an integration module of the endpoint agent extension configured to integrate the endpoint agent extension with an email client application on an endpoint computing device to detect email cyber threats in emails in the email client application as well as regulate outbound emails; an action module of the endpoint agent extension configured to interact with the email client application to direct autonomous actions, by the action module rather than a human taking an action, against at least an outbound email including its attached files and/or linked files under analysis when a cyber threat module determines the outbound email including its attached files and/or linked files (a) to be a data exfiltration threat, (b) to be both malicious and anomalous behavior as compared to a user's modeled email behavior, or (c) a combination of these two determinations, where the autonomous actions, against at least the outbound email and the files, include two or more actions selected from a group consisting of i) logging a user off the email client application, ii) preventing the sending of the outbound email, iii) stripping the attached files and/or disabling the link to the files from the outbound email, and iv) sending a notification to cyber security personnel of an organization regarding the outbound email; and a secure communications module in the endpoint agent extension configured to securely communicate with one or more modules in a cyber security appliance of the cyber defense system located in a network connected to the endpoint computing device, an email module in the cyber security appliance is configured to reference the one or more machine learning models that are trained on the normal behavior of email activity and user activity associated with at least the email system, where the email module determines a threat risk parameter that factors in a likelihood that a chain of two or more unusual behaviors of the email activity and user activity under analysis fall outside of derived normal benign behavior; and thus, are likely malicious behavior, where the action module, the secure communications module, and the integration module are part of the two or more modules of the endpoint agent extension, where when portions of i) the endpoint agent extension and ii) any modules are implemented in software, then their instructions are stored in one or more non-transitory machine readable storage mediums in a format when executed by the endpoint computing device to cause said endpoint computing device to perform operations listed for the apparatus. 2. The apparatus of claim 1 , further comprising: an attachment analyzer of the endpoint agent extension that is configured to scan a file i) attached to and/or ii) linked to the outbound email that is about to be sent in an outbox, in order to analyze content and meta data of the file via investigation of the file structure, a meta data analysis tool, and machine learning analysis to gather information about the file itself and the content in the file. 3. The apparatus of claim 1 , further comprising: wherein the endpoint agent extension is implemented as one of i) a plug-in integration for the email client application and ii) a browser extension for integration with a browser-based email client application. 4. The apparatus of claim 1 , further comprising: where the modules of the endpoint agent extension are configured to receive and factor in, both knowledge outside an email domain as well as metrics and other information from the email domain, collected by the one or more modules of the cyber defense appliance located on the network, where the modules of the endpoint agent extension also are configured to use the computing power of the one or more modules of the cyber defense appliance for one or more of the machine learning models, where the endpoint agent extension uses both the external computing power and additional knowledge collected outside the email domain in order to analyze contextual information about the outbound email under analysis, about user behavior of the user generating the outbound email, and/or about a particular file i) attached to or ii) linked to the outbound email. 5. The apparatus of claim 4 , further comprising: where the cyber defense appliance of the cyber threat defense system is located in an IT network, an OT network, a SaaS environment, a cloud network, and/or any combination of these networks, to exchange secure communications with the endpoint agent extension to provide additional contextual information about user behavior outside the email domain, contextual information about attached files to the email under analysis to determine whether the outbound email under analysis and its attachments and/or links either i) are unusual or ii) are not unusual in context of a current user's behavior under analysis, to prevent incidents of data loss as well as wrongly addressed recipients. 6. The apparatus of claim 4 , further comprising: where the email module of the cyber security appliance is configured to cooperate with the one or more machine learning models in the cyber security appliance to perform machine learning analysis on all inbound and outbound email flow for an organization to develop an awareness of a pattern-of-life for i) each individual user, ii) the organization as a whole, and iii) clustered groups of users the machine learning identifies as being closely associated with a given user, where the email module is configured to convey this information to the modules in the endpoint agent extension through the secure communications module. 7. The apparatus of claim 1 , further comprising: where the secure communications module in the endpoint agent extension is configured to securely communicate with one or more modules in a cyber security appliance of the cyber defense system located in a network connected to the endpoint computing device in order to receive contextual information outside an email domain about the outbound email under analysis, as well as take instructions or receive additional information from an autonomous response module of the cyber security appliance regarding what autonomous action to take against the outbound email to mitigate a threat posed by the outbound email and its attachments and/or links. 8. The apparatus of claim 1 , further comprising: where the endpoint agent extension and a cyber security appliance on a network cooperate to track and maintain a dynamic profile modeled for each email user in a domain who compose emails, which is 1) derived from a pattern-of-life for i) a corresponding email user in the email domain, ii) an organization that the individual user of the email domain is a part of, and iii) smaller clustered peer groups who have close associations with a given user on a per user basis, as well as 2) factor in network metrics with email domain metrics to make a decision that the behavior is deviating from the pattern-of-life for the email under analysis and any of its files attached or linked, where the cyber security appliance is configured to convey this information to the modules in the endpoint agent extension through the secure communications module. 9. The apparatus of claim 1 , further comprising: where the email module in the network cyber security appliance is configured to track and maintain a dynamic profile modeled in a user model for each email user in the domain who compose emails, as well as cooperate with a model of email and network activities of each peer group in an orga