Proofpoint Threat Intelligence
Overview
Proofpoint Threat Intelligence provides contextual information about threat campaigns, threat families, and indicators of compromise (IOCs) observed across the Proofpoint network. This data enriches individual threat events from TAP with broader campaign context, attribution, and forensic evidence. It enables security analysts to understand not just what was blocked, but who is behind the attack and how it fits into a larger campaign.
Proofpoint processes billions of messages daily and correlates threats across its entire customer base, providing unique visibility into large-scale email threat campaigns.
Key Concepts
Campaigns
A campaign is a coordinated set of threat activities sharing common infrastructure, payloads, or techniques. Proofpoint groups related threats into campaigns based on:
- Shared sending infrastructure
- Common payload signatures
- Similar lure themes and social engineering tactics
- Linked command-and-control infrastructure
Threat Families
| Family Type | Description | Examples |
|---|
malware | Named malware families | Emotet, QBot, IcedID, AsyncRAT |
phishkit | Phishing kit families | Office365 kit, DocuSign kit |
loader | Malware delivery mechanisms | Bumblebee, CactusTorch |
rat | Remote access trojans | AsyncRAT, njRAT, DarkComet |
ransomware | Ransomware families | LockBit, BlackCat, Cl0p |
stealer | Credential/info stealers | FormBook, AgentTesla, RedLine |
Threat Actors
Proofpoint tracks named threat actors (e.g., TA505, TA542, TA577) that conduct persistent email-based campaigns. Actor profiles include:
- Known TTPs (tactics, techniques, procedures)
- Associated malware families
- Targeted industries and geographies
- Campaign frequency and sophistication level
Indicators of Compromise (IOCs)
| IOC Type | Description | Example |
|---|
url | Malicious URL | https://evil-domain.com/payload |
domain | Malicious domain | evil-domain.com |
ip | Malicious IP address | 192.168.1.100 |
hash_md5 | MD5 file hash | d41d8cd98f00b204e9800998ecf8427e |
hash_sha256 | SHA256 file hash | e3b0c44298fc1c149afbf4c8996fb92427ae41e4... |
sender | Malicious sender address | attacker@spoofed-domain.com |
subject | Lure subject line pattern | Invoice #[0-9]{6} |
Field Reference
Campaign Fields
| Field | Type | Description |
|---|
campaignId | string | Unique campaign identifier |
name | string | Proofpoint-assigned campaign name |
description | string | Campaign summary and context |
startDate | datetime | First observed activity |
lastActivity | datetime | Most recent activity |
actors | object[] | Associated threat actors |
families | object[] | Associated malware/threat families |
techniques | string[] | MITRE ATT&CK techniques observed |
malwareCount | int | Number of unique malware samples |
messageCount | int | Total messages in the campaign |
recipientCount | int | Number of targeted recipients |
industries | string[] | Targeted industry verticals |
Threat Indicator Fields
| Field | Type | Description |
|---|
id | string | Unique indicator identifier |
type | string | IOC type (url, domain, ip, hash) |
value | string | The indicator value |
firstSeen | datetime | First observation time |
lastSeen | datetime | Most recent observation |
threatStatus | string | active, cleared, falsePositive |
campaigns | string[] | Associated campaign IDs |
families | string[] | Associated threat families |
confidence | int | 0-100 confidence score |
severity | string | critical, high, medium, low, info |
MCP Tools
| Tool | Description | Key Parameters |
|---|
proofpoint_threat_get_campaign | Get details of a specific campaign | campaignId |
proofpoint_threat_search_campaigns | Search campaigns by criteria | startDate, endDate, actor, family |
proofpoint_threat_get_indicators | Get IOCs for a campaign or threat | campaignId, threatId |
proofpoint_threat_search_indicators | Search IOCs across all campaigns | type, value, startDate, endDate |
proofpoint_threat_get_family | Get details of a threat family | familyName |
proofpoint_threat_get_actor | Get details of a threat actor | actorName |
proofpoint_threat_get_landscape | Get threat landscape summary | window (7, 30, 90 days) |
Common Workflows
Investigate a Campaign from TAP Event
- From a TAP event, extract the
campaignId
- Call
proofpoint_threat_get_campaign with the campaign ID
- Review the campaign description, actor attribution, and techniques
- Call
proofpoint_threat_get_indicators to get all IOCs for the campaign
- Export IOCs to your SIEM or firewall blocklists
- Check if other users in the organization were targeted by the same campaign
Track a Threat Family
- Call
proofpoint_threat_get_family with the family name (e.g., Emotet)
- Review associated campaigns and activity timeline
- Call
proofpoint_threat_search_campaigns filtered by that family
- Assess whether the family is actively targeting your organization
- Review MITRE ATT&CK techniques to inform detection rules
IOC Lookup
- Receive an IOC from an external source (URL, hash, IP)
- Call
proofpoint_threat_search_indicators with the IOC value
- If found, review associated campaigns and threat families
- Determine if the IOC has been seen targeting your organization
- Check the threat status -
active IOCs require immediate action
Threat Landscape Review
- Call
proofpoint_threat_get_landscape with a 30-day window
- Review top threat families, actors, and techniques
- Identify trends - are attacks increasing for specific families?
- Cross-reference with your organization's TAP data
- Update security awareness training based on active campaigns
Correlate Across Multiple Events
- Gather
threatID values from multiple TAP events
- For each, call
proofpoint_threat_get_indicators
- Look for shared infrastructure (common domains, IPs, C2 servers)
- If shared infrastructure is found, these events may be part of the same campaign
- Use
proofpoint_threat_search_campaigns to confirm
Error Handling
Common API Errors
| Code | Message | Resolution |
|---|
| 400 | Invalid campaign ID | Verify the campaign ID format from the TAP event |
| 400 | Invalid date range | Ensure dates are within the allowed range |
| 401 | Authentication failed | Verify service principal and secret |
| 403 | Threat intelligence access not enabled | Ensure your license includes threat intelligence API |
| 404 | Campaign not found | The campaign may be too old or not yet correlated |
| 404 | Threat family not found | Verify the family name spelling |
| 429 | Rate limit exceeded | Implement backoff; intel API is rate-limited |
No Results
- Campaign data may take time to correlate - retry after a few hours
- Some threats may not be attributed to a named campaign
- IOC searches may return no results if the indicator is new or unique to your organization
- Older campaigns may be archived and unavailable via the API
Best Practices
- Start with TAP events - Use campaign IDs from TAP events as entry points into threat intelligence
- Export IOCs to blocklists - Feed campaign IOCs into your firewall, proxy, and EDR blocklists
- Track actor patterns - Named actors have consistent TTPs; use this to predict future attacks
- Correlate with external intel - Cross-reference Proofpoint intelligence with other threat feeds
- Update detection rules - Use MITRE ATT&CK techniques from campaigns to tune detection
- Brief your team - Share campaign summaries with your security team for