Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From proofpoint
Manages Proofpoint email quarantine: lists, searches, releases, deletes messages. Covers reasons, sender/recipient filtering, bulk operations, folders, previews.
npx claudepluginhub wyre-technology/msp-claude-plugins --plugin proofpointHow this skill is triggered — by the user, by Claude, or both
Slash command
/proofpoint:quarantineThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Proofpoint quarantine holds messages that have been identified as threats, spam, or policy violations. The quarantine API allows administrators to search, preview, release, and delete quarantined messages. This is a critical workflow for MSP help desk teams who need to respond to "missing email" requests from end users.
Manages Checkpoint Harmony Email (Avanan) quarantine: lists, searches, releases, deletes emails; covers reasons, workflows, bulk operations, policies for MSP analysts.
Guides Proofpoint Forensics and threat response for email-borne threats: auto-pull, search-and-destroy, message trace, evidence collection, and post-delivery remediation workflows.
Analyzes Abnormal Security messages: email headers, attachments, sender reputation, delivery context, SPF/DKIM/DMARC authentication, and metadata for incident investigations.
Share bugs, ideas, or general feedback.
Proofpoint quarantine holds messages that have been identified as threats, spam, or policy violations. The quarantine API allows administrators to search, preview, release, and delete quarantined messages. This is a critical workflow for MSP help desk teams who need to respond to "missing email" requests from end users.
Quarantine operates at two levels:
| Reason | Description | Default Retention |
|---|---|---|
spam | Message scored above spam threshold | 30 days |
phish | Message identified as phishing | 30 days |
malware | Message contained malware | 30 days |
impostor | Message flagged as BEC/impostor | 30 days |
bulk | Bulk/marketing email | 14 days |
adult | Adult content filter match | 30 days |
policy | Custom policy rule match | Configurable |
dmarc | Failed DMARC authentication | 30 days |
dkim | Failed DKIM verification | 30 days |
spf | Failed SPF check | 30 days |
| Folder | Contents | Release Allowed |
|---|---|---|
quarantine | Admin quarantine (threats, policy) | Admin only |
spam | End-user spam quarantine | End-user or admin |
bulk | Bulk/graymail quarantine | End-user or admin |
| State | Description |
|---|---|
quarantined | Message is held in quarantine |
released | Message was released to recipient |
deleted | Message was permanently deleted |
expired | Message exceeded retention period and was removed |
| Field | Type | Description |
|---|---|---|
id | string | Unique quarantine message identifier |
GUID | string | Message GUID (links to TAP events) |
QID | string | Queue ID from mail server |
sender | string | Envelope sender address |
recipients | string[] | List of recipient addresses |
subject | string | Message subject line |
date | datetime | When the message was received |
quarantineDate | datetime | When the message was quarantined |
reason | string | Why the message was quarantined |
folder | string | Which quarantine folder holds the message |
size | int | Message size in bytes |
headerFrom | string | Display From address (may differ from envelope sender) |
replyTo | string | Reply-To address if present |
spamScore | int | Spam confidence score |
phishScore | int | Phishing confidence score |
malwareScore | int | Malware confidence score |
impostorScore | int | Impostor/BEC confidence score |
| Parameter | Type | Description |
|---|---|---|
sender | string | Filter by sender address (exact or partial) |
recipient | string | Filter by recipient address |
subject | string | Filter by subject (substring match) |
startDate | datetime | Start of date range |
endDate | datetime | End of date range |
reason | string | Filter by quarantine reason |
folder | string | Filter by quarantine folder |
limit | int | Maximum results (default 25, max 500) |
offset | int | Pagination offset |
| Tool | Description | Key Parameters |
|---|---|---|
proofpoint_quarantine_search | Search quarantined messages | sender, recipient, subject, reason, startDate, endDate |
proofpoint_quarantine_list | List recent quarantined messages | folder, limit, offset |
proofpoint_quarantine_get | Get details of a specific quarantined message | id |
proofpoint_quarantine_preview | Preview message content without releasing | id |
proofpoint_quarantine_release | Release message to original recipient | id, recipient |
proofpoint_quarantine_delete | Permanently delete quarantined message | id |
proofpoint_quarantine_bulk_release | Release multiple messages at once | ids[] |
proofpoint_quarantine_bulk_delete | Delete multiple messages at once | ids[] |
proofpoint_quarantine_search with recipient=<user> and sender=<expected_sender> and appropriate date rangeproofpoint_quarantine_preview to verify the message is legitimateproofpoint_quarantine_release to deliver the messageproofpoint_quarantine_list with folder=quarantine and limit=100proofpoint_quarantine_search with sender=<known_good_sender>proofpoint_quarantine_bulk_release with the collected IDsproofpoint_quarantine_search with a narrow time windowreason to identify what type of messages increasedsender to identify if a single source is responsibleproofpoint_quarantine_search with reason=malware and date range > 14 daysproofpoint_quarantine_bulk_delete to remove confirmed threats| Code | Message | Resolution |
|---|---|---|
| 400 | Invalid date range | Ensure startDate is before endDate |
| 400 | Invalid folder | Use quarantine, spam, or bulk |
| 401 | Authentication failed | Verify service principal and secret |
| 403 | Insufficient permissions | Ensure quarantine management is enabled |
| 404 | Message not found | Message may have expired or been deleted |
| 409 | Message already released | Message was already released by another admin |
| 429 | Rate limit exceeded | Implement backoff; limit bulk operations |
If a release fails:
limit and offset