Proofpoint Threat Response Auto-Pull (TRAP) enables messaging and security administrators to move malicious or unwanted messages to quarantine, after delivery. It follows forwarded mail and distribution lists and creates an auditable activity trail.
Quarantine Malicious and Unwanted Emails after Delivery
Unwanted email can take several forms. Malicious emails can contain links that can be poisoned after delivery or use evasion techniques which lead to false negatives and delivered malicious emails. Unwanted email such as inappropriate jokes or compliance violations in email are a few examples. Security and messaging teams are often tasked with cleaning up those emails to reduce threat exposure and limit potential damages. While quarantining one message may not require much work and a mere 10 to 15 minutes each, situations where ten emails or more are involved can become tedious, with time requirements quickly adding up. Threat Response Auto-Pull (TRAP) can automatically pull malicious and unwanted messages out of user mailboxes, even after messages have been delivered, removing the opportunity for reinfection from email or the risk of compliance violations.
Forward Following and Distribution List Expansion
Malicious and unwanted emails may be forwarded to other individuals, departments, or distribution lists. In these situations, attempting to retract those emails after delivery has been a sore point for many administrators. TRAP addresses this situation with built-in business logic and intelligence that understands when messages are forwarded or sent to distribution lists then automatically expands and follows the wide fan out of recipients to find and retract those messages. This saves time and frustration, and with the added benefit of showing message ‘read’ status, TRAP additionally helps prioritize which users and endpoints to review.
Out-of-Band Email Management
TRAP also leverages CSV files, PPS SmartSearch, and abuse mailboxes. Users can upload SmartSearch results, CSV files, or use manual incidents with a few key pieces of information to initiate a quarantine action of one or thousands of emails. In moments, policy violating emails, in addition to threats can be pulled out of mailboxes, with an activity list showing who read the emails and the success or failure of the attempt to recall the email.
Messages sent abuse mailboxes can also be monitored in the same way, where TRAP monitors messages that arrive in the abuse mailbox for processing. Messages sent to the Abuse Mailbox are automatically decomposed into its component parts then further analyzed against multiple intelligence and reputation systems to determine if any of the content matches malicious markers. Messages containing credential phishing templates, malware links, and attachments can be surfaced by automatically comparing those message against Proofpoint’s industry leading reputation and intelligence systems to identify truly malicious messages. Messaging admins can then initiate "auto-pull" on those messages to pull them out of the sender's mailbox, and if the message was forwarded to other users or distribution lists, the retraction action will follow the trail to pull the messages out and place them in quarantine.
Superior Intelligence and Visibility
Threat Response Auto-Pull (TRAP) also enriches email alerts, building associations between recipients and user identities, revealing associated campaigns, and even surfacing IP addresses and domains in the attack which are on reputation and intelligence lists. TRAP is even smart enough to take automated actions based-on targeted users who belong to specific departments or groups with special permissions. In addition, TRAP also follows forwarded emails, so if a targeted email is forward to a user, several users, or a distribution list, it will attempt to follow and quarantine those messages as well, reporting back the quarantine and read status of each message.
TRAP also provides graphical reports and downloadable data. Users can view charts showing email alerts, post-delivery quarantine attempts, and success or failure of those attempts. Success or failure indicators and message read status are also revealed for messages that are forwarded once or multiple times, including forwards to distribution lists. Targeting of internal users is revealed, including past histories that display which users have been targeted the most frequently over customizable time periods. Similarly, targeting of departments, groups, or geographic locations are also available as reports.