Threat Response Auto-Pull (TRAP) Email Quarantine & Security

Threat Response Auto-Pull

Threat Response Auto-Pull delivers the ability to move malicious and selected messages to quarantine after delivery while providing reports on attempted quarantine attempts.


Proofpoint Threat Response Auto-Pull (TRAP) enables messaging and security administrators to analyze emails and move malicious or unwanted emails to quarantine, after delivery. It follows forwarded mail and distribution lists and creates an auditable activity trail.

Email Quarantine for Malicious and Unwanted Messages, After Delivery

Unwanted email can take several forms. Malicious emails can contain phishing links that can be poisoned after delivery or use evasion techniques which lead to false negatives and delivered malicious emails. Unwanted email such as inappropriate jokes or compliance violations in emails are a few examples. Email security teams are often tasked with email analysis and cleaning up to reduce threat exposure and limit potential damages. While email quarantining one message may not require much work and a mere 10 to 15 minutes each, situations where ten emails or more are involved can become tedious, with time requirements quickly adding up.

Email Quarantine & Unwanted Emails

Colleagues Discussing Email Analysis & Security

Forward Following and Distribution List Expansion

Malicious and unwanted emails may be forwarded to other individuals, departments, or distribution lists. In these situations, attempting to retract those emails after delivery has been a sore point for many administrators. Threat Response Auto-Pull (TRAP) addresses this situation with built-in business logic and intelligence that understands when messages are forwarded or sent to distribution lists then automatically expands and follows the wide fan out of recipients to find and retract those messages. This saves time and frustration, and with the added benefit of showing message 'read' status, TRAP additionally helps prioritize which users and endpoints to review.

Out-of-Band Email Management

TRAP also leverages CSV files, PPS SmartSearch, and abuse mailboxes. Users can upload SmartSearch results, CSV files or use manual incidents with a few key pieces of information to initiate an email quarantine action of one or thousands of emails. In moments, policy violating emails, in addition to security threats can be pulled out of mailboxes, with an activity list showing who read the emails and the success or failure of the attempt to recall the email.

Messages sent to abuse mailboxes can also be monitored and processed in the same way. Messages sent to the abuse mailbox are automatically decomposed into its component parts then further analyzed against multiple intelligence and reputation systems to determine if any of the content matches malicious markers. Messages containing credential phishing templates, malware links, and attachments can be surfaced by automatically comparing those message against Proofpoint’s industry-leading reputation and intelligence security systems to identify truly malicious messages. Messaging administrators can then initiate "auto-pull" on those messages to pull them out of the sender's mailbox, and if the message was forwarded to other users or distribution lists, the retraction action will follow the trail to pull the messages out and place them in email quarantine.

Superior Intelligence and Visibility

Threat Response Auto-Pull (TRAP) also enriches email alerts, building associations between recipients and user identities, revealing associated campaigns, and even surfacing IP addresses and domains in the attack which are on reputation and intelligence lists. TRAP is even smart enough to take automated actions based on targeted users who belong to specific departments or groups with special permissions. In addition, it also follows forwarded emails, so if a targeted email is forward to a user, several users, or a distribution list, it will attempt to follow and quarantine those emails as well, reporting back the quarantine and read status of each message.

TRAP also provides graphical reports and downloadable data. Users can view charts showing email alerts, post-delivery email quarantine attempts, and success or failure of those attempts. Success or failure indicators and message read status are also revealed for messages that are forwarded once or multiple times, including forwards to distribution lists. Targeting of internal users is revealed, including past histories that display which users have been targeted the most frequently over customizable time periods. Similarly, targeting of departments, groups, or geographic locations are also available as reports.

Closed-Loop Email Analysis and Response

Closed-Loop Email Analysis and Response (CLEAR) is an integrated solution derived from the acquisition of Wombat Security. While TRAP can be used to monitor abuse mailboxes and automate response, CLEAR streamlines end-user reporting and security response to phishing attacks. This reduces the time it takes to neutralize an active email threat from days to minutes.

  • Ed users can report a suspicious message with a single click, using the PhishAlarm email reporting button
  • Minimize noise with automatic email filtering of simulated phish, making it easier for your response teams to prioritize their work
  • Automatically analyze reported messages against multiple intelligence and reputation systems
  • Delete or quarantine real email threats with just a click

Start with a Free Proofpoint Trial