Detection rules › Panther
Proofpoint Malware Detected
This rule alerts when Proofpoint detects malware in an email message. It triggers when emails are quarantined with the malware rule or when the malware score is 90 or higher. Events quarantined to the Virus folder or with the notcleaned rule are handled by the Virus Detected rule instead.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Initial Access | T1566 Phishing |
| Execution | T1204 User Execution |
Rule body yaml
AnalysisType: rule
Filename: proofpoint_malware_detected.py
RuleID: "Proofpoint.MalwareDetected"
DisplayName: "Proofpoint Malware Detected"
Enabled: true
LogTypes:
- Proofpoint.Event
Status: Experimental
Tags:
- Proofpoint
- Email Security
- Malware
- Phishing
- Initial Access:Phishing
- Execution:User Execution
Severity: High
Description: >
This rule alerts when Proofpoint detects malware in an email message.
It triggers when emails are quarantined with the malware rule or when
the malware score is 90 or higher. Events quarantined to the Virus folder
or with the notcleaned rule are handled by the Virus Detected rule instead.
Runbook: |
1. Verify the email was quarantined and check if recipients interacted with malicious content within the last 2 hours
2. Block the sender domain/IP within 15 minutes and notify affected users immediately
3. Escalate to IR team within 30 minutes if malware execution is confirmed on endpoints
Reference: https://www.proofpoint.com/sites/default/files/pfpt-us-ebook-stopping-malware-with-proofpoint-advanced-email-protection.pdf
Reports:
MITRE ATT&CK:
- TA0001:T1566 # Initial Access: Phishing
- TA0002:T1204 # Execution: User Execution
Tests:
- Name: Malware Quarantine Rule Match
ExpectedResult: true
Log:
messageTime: "2026-01-08T23:57:06Z"
sender: "malicious@example.com"
senderIP: "192.0.2.1"
fromAddress:
- "malicious@example.com"
toAddresses:
- "victim@company.com"
recipient:
- "victim@company.com"
subject: "Invoice Attached"
malwareScore: 100
phishScore: 0
spamScore: 0
impostorScore: 0
quarantineFolder: "Malware"
quarantineRule: "malware"
messageID: "<20021004025021.15821.qmail@example.com>"
messageSize: 202302
modulesRun:
- av
- sandbox
- spam
- dmarc
threatsInfoMap:
- threatType: "attachment"
classification: "malware"
threatStatus: "active"
threat: "invoice.exe"
threatID: "9be9e4c4cc2679586acb2511b3ae0505be51c07d32e1071bc4bb95cfe3383b9f"
- Name: High Malware Score
ExpectedResult: true
Log:
messageTime: "2026-01-08T23:57:06Z"
sender: "suspicious@example.com"
senderIP: "198.51.100.1"
fromAddress:
- "suspicious@example.com"
toAddresses:
- "user@company.com"
recipient:
- "user@company.com"
subject: "Urgent: Update Required"
malwareScore: 95
phishScore: 10
spamScore: 20
impostorScore: 0
quarantineFolder: "Attachment Defense"
quarantineRule: "threat"
messageID: "<abc123@example.com>"
threatsInfoMap:
- threatType: "attachment"
classification: "malware"
threatStatus: "active"
threat: "update.zip"
- Name: Boundary Case - Score 89 Below Threshold
ExpectedResult: false
Log:
messageTime: "2026-01-08T23:00:00Z"
sender: "borderline@example.com"
senderIP: "198.51.100.25"
fromAddress:
- "borderline@example.com"
toAddresses:
- "user@company.com"
recipient:
- "user@company.com"
subject: "Document Attached"
malwareScore: 89
phishScore: 10
spamScore: 15
impostorScore: 0
quarantineFolder: "Attachment Defense"
quarantineRule: "threat"
messageID: "<boundary89@example.com>"
- Name: Low Malware Score - No Alert
ExpectedResult: false
Log:
messageTime: "2026-01-08T23:57:06Z"
sender: "legitimate@company.com"
senderIP: "203.0.113.1"
fromAddress:
- "legitimate@company.com"
toAddresses:
- "employee@company.com"
recipient:
- "employee@company.com"
subject: "Meeting Notes"
malwareScore: 0
phishScore: 0
spamScore: 5
impostorScore: 0
messageID: "<normal123@company.com>"
- Name: Virus Quarantine Excluded - No Alert
ExpectedResult: false
Log:
messageTime: "2026-01-08T23:57:06Z"
sender: "virus@example.com"
senderIP: "192.0.2.10"
fromAddress:
- "virus@example.com"
toAddresses:
- "employee@company.com"
recipient:
- "employee@company.com"
subject: "Infected File"
malwareScore: 100
phishScore: 0
spamScore: 0
impostorScore: 0
quarantineFolder: "Virus"
quarantineRule: "notcleaned"
messageID: "<virus-excluded@example.com>"
- Name: Different Quarantine Rule - No Alert
ExpectedResult: false
Log:
messageTime: "2026-01-08T23:57:06Z"
sender: "spam@example.com"
senderIP: "198.51.100.50"
fromAddress:
- "spam@example.com"
toAddresses:
- "user@company.com"
recipient:
- "user@company.com"
subject: "Buy Now!"
malwareScore: 0
phishScore: 0
spamScore: 95
impostorScore: 0
quarantineFolder: "Definite Spam"
quarantineRule: "spam_definite"
messageID: "<spam456@example.com>"
Detection logic
Condition
not (quarantineFolder eq "Virus" or quarantineRule eq "notcleaned")
quarantineRule eq "malware" or malwareScore ge "90"
Exclusions
Top-level NOT(...) conjuncts: predicates this rule actively suppresses.
| Field | Kind | Excluded values |
|---|---|---|
quarantineFolder | eq | Virus |
quarantineRule | eq | notcleaned |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
malwareScore | ge |
|
quarantineRule | eq |
|
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field | Source |
|---|---|
sender | |
senderIP | |
recipients | recipient |
subject | |
messageID | |
quarantineFolder | |
quarantineRule | |
malwareScore | |
phishScore |