Threat Response Auto-Pull

Email Security and Protection


Proofpoint Threat Response Auto-Pull (TRAP) enables messaging and security administrators to analyse emails and move malicious or unwanted emails to quarantine, after delivery. It follows forwarded mail and distribution lists and creates an auditable activity trail.

Features and Benefits

Quarantine malicious email post-delivery and get reports on quarantine attempts

Email quarantine for malicious and unwanted messages, after delivery

Unwanted email can take several forms. Malicious emails can contain phishing links that can be poisoned after delivery or use evasion techniques which lead to false negatives and delivered malicious emails. Unwanted email such as inappropriate jokes or compliance violations in emails are a few examples. Email security teams are often tasked with email analysis and cleaning up to reduce threat exposure and limit potential damages. While email quarantining one message may not require much work and a mere 10 to 15 minutes each, situations where ten emails or more are involved can become tedious, with time requirements quickly adding up.

Forward following and distribution list expansion

Malicious and unwanted emails may be forwarded to other individuals, departments, or distribution lists. In these situations, attempting to retract those emails after delivery has been a sore point for many administrators. Threat Response Auto-Pull (TRAP) addresses this situation with built-in business logic and intelligence that understands when messages are forwarded or sent to distribution lists then automatically expands and follows the wide fan out of recipients to find and retract those messages. This saves time and frustration, and with the added benefit of showing message 'read' status, TRAP additionally helps prioritise which users and endpoints to review.

Out-of-band email management

TRAP also leverages CSV files, PPS SmartSearch, and abuse mailboxes. Users can upload SmartSearch results, CSV files or use manual incidents with a few key pieces of information to initiate an email quarantine action of one or thousands of emails. In moments, policy violating emails, in addition to security threats can be pulled out of mailboxes, with an activity list showing who read the emails and the success or failure of the attempt to recall the email.

Messages sent to abuse mailboxes can also be monitored and processed in the same way. Messages sent to the abuse mailbox are automatically decomposed into its component parts then further analysed against multiple intelligence and reputation systems to determine if any of the content matches malicious markers. Messages containing credential phishing templates, malware links, and attachments can be surfaced by automatically comparing those message against Proofpoint’s industry-leading reputation and intelligence security systems to identify truly malicious messages. Messaging administrators can then initiate "auto-pull" on those messages to pull them out of the sender's mailbox, and if the message was forwarded to other users or distribution lists, the retraction action will follow the trail to pull the messages out and place them in email quarantine.

Cross-vector intelligence sharing with the Proofpoint Nexus Threat Graph

The Proofpoint Nexus Threat Graph provides industry-leading aggregation and correlation of threat data across email, cloud, network and social. It powers real-time threat protection and response across all our products. And as part of the Proofpoint Platform, there is nothing to install, deploy or manage.

Threat Response Auto-Pull (TRAP) leverages the Nexus Threat Graph intelligence to build associations between recipients and user identities. It reveals associated campaigns and surfaces IP addresses and domains in the attack. And based on that, TRAP takes automated actions on targeted users who belong to specific departments or groups with special permissions.

Also, if we detect an email that contains malicious links, attachments or suspect IPs at a customer site, we will share this information across our entire customer base. This helps with pre-delivery protection. It removes and quarantines any messages that have been delivered to any user’s inbox.

Enhanced triage

TRAP provides SOC analysts an enhanced triage process with incidents containing URLs. By leveraging Proofpoint Browser Isolation technology, URLs can be investigated safely.

This will allow analysts to arrive at an assessment of what the contents of the URL contain and at the same time not putting the organisation at risk.

Flexible deployment options

By using a cloud-based architecture, TRAP is integrated with Proofpoint Cloud Admin for single sign-on and user management. We also continue to develop deeper integrations with other Proofpoint products. Setup is fast and simple with low maintenance through automated software updates. TRAP can be deployed via Microsoft 365 or Google Workspaces as well as on-prem through Microsoft Exchange.

Closed-Loop Email Analysis and Response

An informed employee can be your last line of defense against a cyber attack. With Proofpoint Closed-Loop Email Analysis and Response (CLEAR), the cycle of reporting, analysing and remediating potentially malicious emails is taken from days to just minutes. Enriched with our world-class Threat Intelligence and Security Awareness Training solutions, CLEAR stops active attacks in their tracks with just a click. And your security team can save time and effort by automatically remediating malicious messages. 

Read the Solution Brief
  • Report Suspected Phishing Emails: End users can report suspected phishing emails using our PhishAlarm email add-in, HTML-based email warning tags with “report suspicious” capabilities, or abuse mailbox address. Whatever the method, Proofpoint empowers your users to better protect your organisation.
  • Prioritise Emails Automatically: Suspected phishing emails will be classified by Proofpoint Threat Intelligence as malicious, suspicious, bulk, or spam. This lessens your team’s reliance on writing manual YARA rules and relying on user reputation to classify reported emails. And whitelisted or simulated phishing emails will automatically be filtered.
  • Remediate Active Phishing Attacks: Threat Response Auto-Pull gives you security analysts all the context they need to make informed decisions about suspicious messages. TRAP can quarantine or delete malicious emails with one click or automatically, even if it was forwarded or received by other end users.

More Phish Reporting Options

PhishAlarm email add-in

Report Suspected Phishing Emails

End users can report suspected phishing emails using our PhishAlarm email add-in, HTML-based email warning tags with “report suspicious” capabilities, or abuse mailbox address. Whatever the method, Proofpoint empowers your users to better protect your organisation.

Proofpoint Threat Intelligence

Prioritise Emails Automatically

Suspected phishing emails will be classified by Proofpoint Threat Intelligence as malicious, suspicious, bulk, or spam. This lessens your team’s reliance on writing manual YARA rules and relying on user reputation to classify reported emails. And whitelisted or simulated phishing emails will automatically be filtered.

Threat Response Auto-Pull

Remediate Active Phishing Attacks

Threat Response Auto-Pull gives you security analysts all the context they need to make informed decisions about suspicious messages. TRAP can quarantine or delete malicious emails with one click or automatically, even if it was forwarded or received by other end users.

Ready to give Proofpoint a try?

Start with a free Proofpoint trial.