Cyber threat defense system protecting email networks with machine learning models using a range of metadata from observed email communications

What is claimed is: 1. A cyber threat defense system for a network including an email domain, comprising a computing device communicatively coupled to a set of computing devices, the computing device comprising: a first module configured to utilize a set of machine learning models, communicate with a cyber threat module, and receive information from a set of detectors to provide at least a range of metadata from observed email communications in the email domain, wherein the cyber threat module is configured to cooperate with the first module to (i) analyze the range of metadata from the observed email communications and (ii) analyze the machine learning models trained on a normal behavior of email activity and user activity associated with the network and its email domain to determine when a deviation from the normal behavior of email activity and the user activity associated with the network and its email domain occurs; a mass email association detector configured to determine a similarity between two or more emails being i) sent from or ii) received by a collection of two or more individual users in the email domain in a prescribed time frame, wherein one or more mathematical models are used to determine similarity weighing to derive a similarity score between compared emails; an email layout change predictor module configured to detect anomaly deviations by considering at least a layout of the email, wherein the email layout change predictor module utilizes one or more machine learning models that are trained to model and store a historical norm state of the layout of the email, including at least a formatting of the email and a structure of an email body; an image-tracking link module configured to cooperate with the email layout change predictor module to analyze properties that describe the visual style and appearance of the tracking link to detect whether the tracking link is a suspicious covert tracking link, and wherein an autonomous response module is configured to take an autonomous action to remedy the tracking link when the tracking link is determined to be a suspicious covert tracking link while allowing other emails with a tracking link to enter the email domain; and wherein when software instructions are implemented in the first module, the cyber-threat module, and the one or more machine learning models, the software instructions are stored in an executable form in one or more memories and configured to be executed by one or more processors. 2. The cyber threat defense system of claim 1 , wherein the mass email association module is further configured to determine a likelihood that the two or more emails being i) sent from or ii) received by a collection of users in the email domain under analysis in the prescribed time period, based on at least i) historical patterns of communication between those users, and ii) the rarity of the collection of users under analysis sending and/or receiving email in the prescribed time period, wherein the mass email association module uses the normal behavior of email activity and user activity associated with the network and its email domain to create a map of associations between users in the email domain to generate the likelihood that the two or more users would be included in the emails determined by the mass email association detector. 3. The cyber threat defense system of claim 1 , further comprising: one or more mathematical models configured to determine similarity weighing to derive the similarity score between compared emails; and an email similarity scoring module configured to cooperate with the one or more mathematical models to compare an incoming email, and deriving, based on a semantic similarity of multiple aspects of the incoming email to a cluster of different metrics derived from known bad emails, the similarity score between an email under analysis and the cluster of different metrics derived from known bad emails. 4. The cyber threat defense system of claim 1 , wherein the email layout change predictor module is further configured to analyze changes in the email layout of the email of the user corresponding to the user's email domain to assess whether malicious activity is occurring to an email account of the user based on the changes in the email layout of the email deviating from the historical norm. 5. The cyber threat defense system of claim 4 , wherein the email layout change predictor module is further configured to detect the anomaly deviations by considering two or more parameters of the email selected from a group consisting of: the layout of the email, the formatting of the email, the structure of the email body including any of content, language-usage, subjects, and sentence construction within the email body to detect a change in behavior of a sender of the email under analysis indicative of the email account being compromised. 6. The cyber threat defense system of claim 5 , wherein the email layout change predictor module is further configured to compare the historical norm state of the layout, the formatting, and the structure every time a new email is seen to check whether the new email diverges more than a threshold amount from the historical norm state. 7. The cyber threat defense system of claim 1 , further comprising: one or more bloom filters configured to provide a method of storing commonality data for any of i) domains, ii) hostnames, and iii) other information regarding observed in email traffic, and using the one or more bloom filters to look up and retrieve the data, and wherein the bloom filters are used to store intelligence known from the network about email traffic, all of which is stored in a compressed manner due to the nesting structure of the bloom filters. 8. The cyber threat defense system of claim 1 , wherein the image-tracking link detector is further configured to detect a tracking link based on visual properties of the tracking link as well as a purpose of any query parameters from the tracking link. 9. The cyber threat defense system of claim 8 , wherein the image-tracking link module is further configured to cooperate with the image-tracking link detector to analyze properties that describe the visual style and appearance of the tracking link to detect whether the tracking link is being intentionally hidden as well as a type of query requests made by the tracking link, wherein the image-tracking link module is configured to determine whether the tracking link is a suspicious covert tracking link and wherein the autonomous response module is further configured to take an autonomous action to remedy the tracking link when determined to be a suspicious covert tracking link while allowing other emails with a tracking link to enter the email domain. 10. The cyber threat defense system of claim 1 , wherein the cyber threat module is configured to receive input from each of the following modules, which include: the mass email association module further configured to determine a likelihood that two or more emails would be i) sent from or ii) received by a collection of users in the email domain under analysis in the prescribed time period, wherein the prescribed time period is equal to or less than a ten second difference in any of i) a time sent for each of the emails under analysis, and ii) a time received for each of the emails under analysis; an email similarity scoring module configured to compare an incoming email, and deriving, based on a semantic similarity of multiple aspects of the incoming email to a cluster of different metrics derived from known bad emails, the similarity score between an email under analysis and the cluster of different metrics derived from known bad emails; the email layout change predicto