From proofpoint
Provides Proofpoint threat intelligence on campaigns, families, actors, IOCs, and forensics for tracking, attributing, and investigating email threats.
npx claudepluginhub wyre-technology/msp-claude-plugins --plugin proofpointThis skill uses the workspace's default tool permissions.
Proofpoint Threat Intelligence provides contextual information about threat campaigns, threat families, and indicators of compromise (IOCs) observed across the Proofpoint network. This data enriches individual threat events from TAP with broader campaign context, attribution, and forensic evidence. It enables security analysts to understand not just what was blocked, but who is behind the attac...
Guides Next.js Cache Components and Partial Prerendering (PPR) with cacheComponents enabled. Implements 'use cache', cacheLife(), cacheTag(), revalidateTag(), static/dynamic optimization, and cache debugging.
Migrates code, prompts, and API calls from Claude Sonnet 4.0/4.5 or Opus 4.1 to Opus 4.5, updating model strings on Anthropic, AWS, GCP, Azure platforms.
Analyzes BMad project state from catalog CSV, configs, artifacts, and query to recommend next skills or answer questions. Useful for help requests, 'what next', or starting BMad.
Proofpoint Threat Intelligence provides contextual information about threat campaigns, threat families, and indicators of compromise (IOCs) observed across the Proofpoint network. This data enriches individual threat events from TAP with broader campaign context, attribution, and forensic evidence. It enables security analysts to understand not just what was blocked, but who is behind the attack and how it fits into a larger campaign.
Proofpoint processes billions of messages daily and correlates threats across its entire customer base, providing unique visibility into large-scale email threat campaigns.
A campaign is a coordinated set of threat activities sharing common infrastructure, payloads, or techniques. Proofpoint groups related threats into campaigns based on:
| Family Type | Description | Examples |
|---|---|---|
malware | Named malware families | Emotet, QBot, IcedID, AsyncRAT |
phishkit | Phishing kit families | Office365 kit, DocuSign kit |
loader | Malware delivery mechanisms | Bumblebee, CactusTorch |
rat | Remote access trojans | AsyncRAT, njRAT, DarkComet |
ransomware | Ransomware families | LockBit, BlackCat, Cl0p |
stealer | Credential/info stealers | FormBook, AgentTesla, RedLine |
Proofpoint tracks named threat actors (e.g., TA505, TA542, TA577) that conduct persistent email-based campaigns. Actor profiles include:
| IOC Type | Description | Example |
|---|---|---|
url | Malicious URL | https://evil-domain.com/payload |
domain | Malicious domain | evil-domain.com |
ip | Malicious IP address | 192.168.1.100 |
hash_md5 | MD5 file hash | d41d8cd98f00b204e9800998ecf8427e |
hash_sha256 | SHA256 file hash | e3b0c44298fc1c149afbf4c8996fb92427ae41e4... |
sender | Malicious sender address | attacker@spoofed-domain.com |
subject | Lure subject line pattern | Invoice #[0-9]{6} |
| Field | Type | Description |
|---|---|---|
campaignId | string | Unique campaign identifier |
name | string | Proofpoint-assigned campaign name |
description | string | Campaign summary and context |
startDate | datetime | First observed activity |
lastActivity | datetime | Most recent activity |
actors | object[] | Associated threat actors |
families | object[] | Associated malware/threat families |
techniques | string[] | MITRE ATT&CK techniques observed |
malwareCount | int | Number of unique malware samples |
messageCount | int | Total messages in the campaign |
recipientCount | int | Number of targeted recipients |
industries | string[] | Targeted industry verticals |
| Field | Type | Description |
|---|---|---|
id | string | Unique indicator identifier |
type | string | IOC type (url, domain, ip, hash) |
value | string | The indicator value |
firstSeen | datetime | First observation time |
lastSeen | datetime | Most recent observation |
threatStatus | string | active, cleared, falsePositive |
campaigns | string[] | Associated campaign IDs |
families | string[] | Associated threat families |
confidence | int | 0-100 confidence score |
severity | string | critical, high, medium, low, info |
| Tool | Description | Key Parameters |
|---|---|---|
proofpoint_threat_get_campaign | Get details of a specific campaign | campaignId |
proofpoint_threat_search_campaigns | Search campaigns by criteria | startDate, endDate, actor, family |
proofpoint_threat_get_indicators | Get IOCs for a campaign or threat | campaignId, threatId |
proofpoint_threat_search_indicators | Search IOCs across all campaigns | type, value, startDate, endDate |
proofpoint_threat_get_family | Get details of a threat family | familyName |
proofpoint_threat_get_actor | Get details of a threat actor | actorName |
proofpoint_threat_get_landscape | Get threat landscape summary | window (7, 30, 90 days) |
campaignIdproofpoint_threat_get_campaign with the campaign IDproofpoint_threat_get_indicators to get all IOCs for the campaignproofpoint_threat_get_family with the family name (e.g., Emotet)proofpoint_threat_search_campaigns filtered by that familyproofpoint_threat_search_indicators with the IOC valueactive IOCs require immediate actionproofpoint_threat_get_landscape with a 30-day windowthreatID values from multiple TAP eventsproofpoint_threat_get_indicatorsproofpoint_threat_search_campaigns to confirm| Code | Message | Resolution |
|---|---|---|
| 400 | Invalid campaign ID | Verify the campaign ID format from the TAP event |
| 400 | Invalid date range | Ensure dates are within the allowed range |
| 401 | Authentication failed | Verify service principal and secret |
| 403 | Threat intelligence access not enabled | Ensure your license includes threat intelligence API |
| 404 | Campaign not found | The campaign may be too old or not yet correlated |
| 404 | Threat family not found | Verify the family name spelling |
| 429 | Rate limit exceeded | Implement backoff; intel API is rate-limited |