Threat Response Auto-Pull

Unwanted email can take several forms. Malicious emails can contain phishing links that can be poisoned after delivery or use evasion techniques which lead to false negatives and delivered malicious emails. Unwanted email such as inappropriate jokes or compliance violations in emails are a few examples. Email security teams are often tasked with email analysis and cleaning up to reduce threat exposure and limit potential damages. While email quarantining one message may not require much work and a mere 10 to 15 minutes each, situations where ten emails or more are involved can become tedious, with time requirements quickly adding up.

Malicious and unwanted emails may be forwarded to other individuals, departments, or distribution lists. In these situations, attempting to retract those emails after delivery has been a sore point for many administrators. Threat Response Auto-Pull (TRAP) addresses this situation with built-in business logic and intelligence that understands when messages are forwarded or sent to distribution lists then automatically expands and follows the wide fan out of recipients to find and retract those messages. This saves time and frustration, and with the added benefit of showing message 'read' status, TRAP additionally helps prioritise which users and endpoints to review.

TRAP also leverages CSV files, PPS SmartSearch, and abuse mailboxes. Users can upload SmartSearch results, CSV files or use manual incidents with a few key pieces of information to initiate an email quarantine action of one or thousands of emails. In moments, policy violating emails, in addition to security threats can be pulled out of mailboxes, with an activity list showing who read the emails and the success or failure of the attempt to recall the email.

Messages sent to abuse mailboxes can also be monitored and processed in the same way. Messages sent to the abuse mailbox are automatically decomposed into its component parts then further analysed against multiple intelligence and reputation systems to determine if any of the content matches malicious markers. Messages containing credential phishing templates, malware links, and attachments can be surfaced by automatically comparing those message against Proofpoint’s industry-leading reputation and intelligence security systems to identify truly malicious messages. Messaging administrators can then initiate "auto-pull" on those messages to pull them out of the sender's mailbox, and if the message was forwarded to other users or distribution lists, the retraction action will follow the trail to pull the messages out and place them in email quarantine.

Threat Response Auto-Pull (TRAP) also enriches email alerts, building associations between recipients and user identities, revealing associated campaigns, and even surfacing IP addresses and domains in the attack which are on reputation and intelligence lists. TRAP is even smart enough to take automated actions based on targeted users who belong to specific departments or groups with special permissions. In addition, it also follows forwarded emails, so if a targeted email is forward to a user, several users, or a distribution list, it will attempt to follow and quarantine those emails as well, reporting back the quarantine and read status of each message.

TRAP also provides graphical reports and downloadable data. Users can view charts showing email alerts, post-delivery email quarantine attempts, and success or failure of those attempts. Success or failure indicators and message read status are also revealed for messages that are forwarded once or multiple times, including forwards to distribution lists. Targeting of internal users is revealed, including past histories that display which users have been targeted the most frequently over customisable time periods. Similarly, targeting of departments, groups, or geographic locations are also available as reports.

An informed employee can be your last line of defence against a cyber attack. With Proofpoint Closed-Loop Email Analysis and Response (CLEAR), the cycle of reporting, analysing and remediating potentially malicious emails is taken from days to just minutes. Enriched with our world-class Threat Intelligence and Security Awareness Training solutions, CLEAR stops active attacks in their tracks with just a click. And your security team can save time and effort by automatically remediating malicious messages. 

• Report Suspected Phishing Emails: End users can report suspected phishing emails using our PhishAlarm email add-in. This is included as a free add-in for every Proofpoint Security Awareness Training package. 
• Prioritize Emails Automatically: Suspected phishing emails will be classified by Proofpoint Threat Intelligence as malicious, suspicious, bulk, or spam. This lessens your team’s reliance on writing manual YARA rules and relying on user reputation to classify reported emails. And whitelisted or simulated phishing emails will automatically be filtered. 
• Remediate Active Phishing Attacks: Threat Response Auto-Pull gives you security analysts all the context they need to make informed decisions about suspicious messages. TRAP can quarantine or delete malicious emails with one click or automatically, even if it was forwarded or received by other end users.