I agree it's not a 'silver bullet', though I don't know what you mean exactly by first phase. That's why I stopped using any trendy terms like machine learning or convolutional neural networks (which is exactly what I was doing), because our sales engineers will sell it as if its magic. It was easier to claim that it's a regular expression change. Of course, this meant I had to use my personal GPU's for training because I couldn't get funding.
The malware example would be you have limited sandbox space, so you have some first phase detections before doing the more expensive dynamic analysis.
For mail classification you could use ML on non-spam messages and flag them as suspicious. Then that signal could be corroborated by volume, being sent by multiple senders in volume, or a user manually classifying content matching that as spam. While ML can't give perfect true positive and false positive rates, it can be combined with other signals.
ML is generally not used for serious AV systems, they are sig/pattern based.
> Then that signal could be corroborated by volume
The more serious attacks are usually very low volume, sometimes unique to the victim.
> user manually classifying content matching that as spam
Manual classification is generally not possible because of data privacy issues and sheer volume, unless you mean by the end-user... but that's a hard sell (what are you selling at the point?)
