Threat Response Auto-Pull

Email quarantine for malicious and unwanted messages, after delivery

Unwanted email can take several forms. Malicious emails can contain phishing links that can be poisoned after delivery or use evasion techniques which lead to false negatives and delivered malicious emails. Unwanted email such as inappropriate jokes or compliance violations in emails are a few examples. Email security teams are often tasked with email analysis and cleaning up to reduce threat exposure and limit potential damages. While email quarantining one message may not require much work and a mere 10 to 15 minutes each, situations where ten emails or more are involved can become tedious, with time requirements quickly adding up.

Forward following and distribution list expansion

Malicious and unwanted emails may be forwarded to other individuals, departments, or distribution lists. In these situations, attempting to retract those emails after delivery has been a sore point for many administrators. Threat Response Auto-Pull (TRAP) addresses this situation with built-in business logic and intelligence that understands when messages are forwarded or sent to distribution lists then automatically expands and follows the wide fan out of recipients to find and retract those messages. This saves time and frustration, and with the added benefit of showing message 'read' status, TRAP additionally helps prioritize which users and endpoints to review.

Out-of-band email management

TRAP also leverages CSV files, PPS SmartSearch, and abuse mailboxes. Users can upload SmartSearch results, CSV files or use manual incidents with a few key pieces of information to initiate an email quarantine action of one or thousands of emails. In moments, policy violating emails, in addition to security threats can be pulled out of mailboxes, with an activity list showing who read the emails and the success or failure of the attempt to recall the email.

Messages sent to abuse mailboxes can also be monitored and processed in the same way. Messages sent to the abuse mailbox are automatically decomposed into its component parts then further analyzed against multiple intelligence and reputation systems to determine if any of the content matches malicious markers. Messages containing credential phishing templates, malware links, and attachments can be surfaced by automatically comparing those message against Proofpoint’s industry-leading reputation and intelligence security systems to identify truly malicious messages. Messaging administrators can then initiate "auto-pull" on those messages to pull them out of the sender's mailbox, and if the message was forwarded to other users or distribution lists, the retraction action will follow the trail to pull the messages out and place them in email quarantine.

Cross-vector intelligence sharing with the Proofpoint Nexus Threat Graph

The Proofpoint Nexus Threat Graph provides industry-leading aggregation and correlation of threat data across email, cloud, network and social. It powers real-time threat protection and response across all our products. And as part of the Proofpoint Platform, there is nothing to install, deploy or manage.

Threat Response Auto-Pull (TRAP) leverages the Nexus Threat Graph intelligence to build associations between recipients and user identities. It reveals associated campaigns and surfaces IP addresses and domains in the attack. And based on that, TRAP takes automated actions on targeted users who belong to specific departments or groups with special permissions.

Also, if we detect an email that contains malicious links, attachments or suspect IPs at a customer site, we will share this information across our entire customer base. This helps with pre-delivery protection. It removes and quarantines any messages that have been delivered to any user’s inbox.

Enhanced triage

TRAP provides SOC analysts an enhanced triage process with incidents containing URLs. By leveraging Proofpoint Browser Isolation technology, URLs can be investigated safely.

This will allow analysts to arrive at an assessment of what the contents of the URL contain and at the same time not putting the organization at risk.

Flexible deployment options

By using a cloud-based architecture, TRAP is integrated with Proofpoint Cloud Admin for single sign-on and user management. We also continue to develop deeper integrations with other Proofpoint products. Setup is fast and simple with low maintenance through automated software updates. TRAP can be deployed via Microsoft 365 or Google Workspaces as well as on-prem through Microsoft Exchange.