Skill

implementing-email-sandboxing-with-proofpoint

Configures Proofpoint TAP for email sandboxing to detonate suspicious attachments and URLs, detecting zero-day malware and evasion. Covers integration, monitoring, and SIEM setup.

security

npx claudepluginhub killvxk/cybersecurity-skills-zh

Tool Access

This skill uses the workspace's default tool permissions.

Preview

邮件沙箱在隔离环境中引爆可疑附件和 URL，以检测零日恶意软件和规避性钓鱼载荷。Proofpoint 定向攻击防护（TAP）是业界领先的解决方案，使用多阶段沙箱、URL 重写和预测分析。本技能涵盖配置 Proofpoint TAP、与邮件流集成、分析沙箱报告和调整检测策略。

Supporting Assets

LICENSEassets/template.mdreferences/api-reference.mdreferences/standards.mdreferences/workflows.mdscripts/agent.pyscripts/process.py

SKILL.md

Similar Skills

implementing-email-sandboxing-with-proofpoint

Configures Proofpoint TAP for email sandboxing to detonate attachments and URLs, detecting zero-day malware and phishing. Covers policy tuning, email flow integration, and report analysis.

asi

implementing-email-sandboxing-with-proofpoint

5.9k

Configures Proofpoint TAP for email sandboxing to detonate attachments/URLs, detect zero-day malware/phishing, tune policies, and integrate with email flow.

7 files

cybersecurity-skills

implementing-proofpoint-email-security-gateway

Deploys and configures Proofpoint Email Protection as a secure email gateway to block phishing, malware, BEC, and spam before inbox delivery via MX routing or API integration with Microsoft 365/Google Workspace.

7 files

cybersecurity-skills-zh

Stats

Stars10

Forks1

Last CommitMar 17, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

使用 Proofpoint 实施邮件沙箱

概述

前置条件

带 TAP 附加组件的 Proofpoint Email Protection 许可证
对 Proofpoint 管理控制台的管理员访问权限
了解邮件投递架构（MX 记录、邮件流规则）
SIEM 集成能力

核心概念

Proofpoint TAP 功能

附件沙箱：在虚拟机中引爆文件（Windows、macOS、Android）
URL Defense：重写 URL，在点击时引爆
威胁情报：Proofpoint NexusAI 威胁情报集成
TAP 仪表板：针对组织的威胁实时可见性
活动关联：将相关攻击归组为活动
高频攻击目标（VAP）：识别最常被攻击的个人

检测到的沙箱规避技术

延迟执行（定时炸弹恶意软件）
虚拟机检测绕过
用户交互要求（点击启用宏）
检查分析环境的沙箱感知恶意软件
加密/密码保护的附件
延迟 C2 检索的多阶段载荷

实施步骤

步骤一：在 Proofpoint 中配置 TAP

为入站邮件策略启用 TAP
配置沙箱配置文件（要引爆的附件类型）
设置 URL Defense 重写策略
配置对恶意裁决的隔离操作

步骤二：调整附件策略

推荐附件策略：
- 引爆：.exe, .dll, .scr, .doc(m), .xls(m), .ppt(m), .pdf, .zip, .rar, .7z, .iso
- 不引爆直接封锁：.bat, .cmd, .ps1, .vbs, .js, .wsf, .hta
- 密码保护的压缩包：尝试常用密码，然后隔离
- 动态投递：投递邮件正文，暂留附件直至得出裁决

步骤三：配置 URL Defense

为所有入站邮件启用 URL 重写
设置点击时引爆
封锁对恶意 URL 的访问
对可疑（未确认恶意）URL 显示警告页面
配置允许域名的旁路列表

步骤四：设置 TAP 仪表板监控

为安全团队配置每日威胁摘要邮件
为定向攻击设置实时告警
监控 VAP 报告中的高风险用户
审查活动集群中的协调攻击

步骤五：与 SIEM 集成

配置到 SIEM 的 syslog/API 导出
为 TAP 告警创建关联规则
设置自动响应工作流

工具与资源

Proofpoint TAP: https://www.proofpoint.com/us/products/advanced-threat-protection
Proofpoint TAP 仪表板: https://threatinsight.proofpoint.com/
Proofpoint API: https://help.proofpoint.com/Threat_Insight_Dashboard/API_Documentation
Proofpoint 社区: https://community.proofpoint.com/

验证

附件引爆捕获 EICAR 测试文件和启用宏的文档
URL Defense 重写并封锁已知钓鱼 URL
TAP 仪表板显示威胁摘要
SIEM 接收并对 TAP 事件告警