From proofpoint
Manages Proofpoint email quarantine: lists, searches, releases, deletes messages. Covers reasons, sender/recipient filtering, bulk operations, folders, previews.
npx claudepluginhub wyre-technology/msp-claude-plugins --plugin proofpointThis skill uses the workspace's default tool permissions.
Proofpoint quarantine holds messages that have been identified as threats, spam, or policy violations. The quarantine API allows administrators to search, preview, release, and delete quarantined messages. This is a critical workflow for MSP help desk teams who need to respond to "missing email" requests from end users.
Guides Next.js Cache Components and Partial Prerendering (PPR) with cacheComponents enabled. Implements 'use cache', cacheLife(), cacheTag(), revalidateTag(), static/dynamic optimization, and cache debugging.
Migrates code, prompts, and API calls from Claude Sonnet 4.0/4.5 or Opus 4.1 to Opus 4.5, updating model strings on Anthropic, AWS, GCP, Azure platforms.
Compresses source documents into lossless, LLM-optimized distillates preserving all facts and relationships. Use for 'distill documents' or 'create distillate' requests.
Proofpoint quarantine holds messages that have been identified as threats, spam, or policy violations. The quarantine API allows administrators to search, preview, release, and delete quarantined messages. This is a critical workflow for MSP help desk teams who need to respond to "missing email" requests from end users.
Quarantine operates at two levels:
| Reason | Description | Default Retention |
|---|---|---|
spam | Message scored above spam threshold | 30 days |
phish | Message identified as phishing | 30 days |
malware | Message contained malware | 30 days |
impostor | Message flagged as BEC/impostor | 30 days |
bulk | Bulk/marketing email | 14 days |
adult | Adult content filter match | 30 days |
policy | Custom policy rule match | Configurable |
dmarc | Failed DMARC authentication | 30 days |
dkim | Failed DKIM verification | 30 days |
spf | Failed SPF check | 30 days |
| Folder | Contents | Release Allowed |
|---|---|---|
quarantine | Admin quarantine (threats, policy) | Admin only |
spam | End-user spam quarantine | End-user or admin |
bulk | Bulk/graymail quarantine | End-user or admin |
| State | Description |
|---|---|
quarantined | Message is held in quarantine |
released | Message was released to recipient |
deleted | Message was permanently deleted |
expired | Message exceeded retention period and was removed |
| Field | Type | Description |
|---|---|---|
id | string | Unique quarantine message identifier |
GUID | string | Message GUID (links to TAP events) |
QID | string | Queue ID from mail server |
sender | string | Envelope sender address |
recipients | string[] | List of recipient addresses |
subject | string | Message subject line |
date | datetime | When the message was received |
quarantineDate | datetime | When the message was quarantined |
reason | string | Why the message was quarantined |
folder | string | Which quarantine folder holds the message |
size | int | Message size in bytes |
headerFrom | string | Display From address (may differ from envelope sender) |
replyTo | string | Reply-To address if present |
spamScore | int | Spam confidence score |
phishScore | int | Phishing confidence score |
malwareScore | int | Malware confidence score |
impostorScore | int | Impostor/BEC confidence score |
| Parameter | Type | Description |
|---|---|---|
sender | string | Filter by sender address (exact or partial) |
recipient | string | Filter by recipient address |
subject | string | Filter by subject (substring match) |
startDate | datetime | Start of date range |
endDate | datetime | End of date range |
reason | string | Filter by quarantine reason |
folder | string | Filter by quarantine folder |
limit | int | Maximum results (default 25, max 500) |
offset | int | Pagination offset |
| Tool | Description | Key Parameters |
|---|---|---|
proofpoint_quarantine_search | Search quarantined messages | sender, recipient, subject, reason, startDate, endDate |
proofpoint_quarantine_list | List recent quarantined messages | folder, limit, offset |
proofpoint_quarantine_get | Get details of a specific quarantined message | id |
proofpoint_quarantine_preview | Preview message content without releasing | id |
proofpoint_quarantine_release | Release message to original recipient | id, recipient |
proofpoint_quarantine_delete | Permanently delete quarantined message | id |
proofpoint_quarantine_bulk_release | Release multiple messages at once | ids[] |
proofpoint_quarantine_bulk_delete | Delete multiple messages at once | ids[] |
proofpoint_quarantine_search with recipient=<user> and sender=<expected_sender> and appropriate date rangeproofpoint_quarantine_preview to verify the message is legitimateproofpoint_quarantine_release to deliver the messageproofpoint_quarantine_list with folder=quarantine and limit=100proofpoint_quarantine_search with sender=<known_good_sender>proofpoint_quarantine_bulk_release with the collected IDsproofpoint_quarantine_search with a narrow time windowreason to identify what type of messages increasedsender to identify if a single source is responsibleproofpoint_quarantine_search with reason=malware and date range > 14 daysproofpoint_quarantine_bulk_delete to remove confirmed threats| Code | Message | Resolution |
|---|---|---|
| 400 | Invalid date range | Ensure startDate is before endDate |
| 400 | Invalid folder | Use quarantine, spam, or bulk |
| 401 | Authentication failed | Verify service principal and secret |
| 403 | Insufficient permissions | Ensure quarantine management is enabled |
| 404 | Message not found | Message may have expired or been deleted |
| 409 | Message already released | Message was already released by another admin |
| 429 | Rate limit exceeded | Implement backoff; limit bulk operations |
If a release fails:
limit and offset