TTechclick ⚡ XP 0% All lessons
Proofpoint · Email Security · TAPInteractive · L1 / L2 / L3

Proofpoint TAP — URL & Attachment Defense Explained

Proofpoint TAP (Targeted Attack Protection) wraps every URL in email and detonates every suspicious attachment in a cloud sandbox before a user can ever click. This lesson maps URL rewriting, time-of-click protection, predictive URL defence, attachment sandboxing, and the Threat Insight Dashboard — so you can explain the full flow in an interview or an incident call.

📅 2026-06-20 · ⏱ 15 min · 4 infographics · live block demo · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

Learn how Proofpoint TAP URL Defense rewrites links, applies time-of-click sandboxing, and uses predictive URL analysis alongside attachment detonation to stop advanced email threats in 2026.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

What TAP is

People-centric email defence, not gateway filtering.

 2

URL Defense

Rewrite, time-of-click sandbox, predictive analysis.

 3

Attachment Defense

Nexus sandbox detonation, verdict and delivery.

 4

Dashboard & forensics

Threat Insight, campaigns, impacted users.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. Does TAP scan URLs only once when the email arrives?

Answered in URL Defense.

2. What does Attachment Defense do with a suspicious PDF?

Answered in Attachment Defense.

3. Where do you see which users were hit by a phishing campaign?

Answered in Dashboard & forensics.

Most engineers think…

Most people assume email security is a gateway that blocks known-bad files and URLs at delivery. Miss it once and it's over.

Proofpoint TAP breaks that model. URL Defense rewrites every link so TAP can evaluate it the moment a user clicks — even if that URL was clean when the email arrived and turned malicious an hour later. Attachment Defense detonates files in a cloud sandbox before they reach the inbox. And predictive URL Defence pre-sandboxes suspicious links based on email-traffic patterns, so TAP can block a phishing URL before anyone clicks at all. The Threat Insight Dashboard ties it all together with campaign-level forensics.

① What Proofpoint TAP is — people-centric, not perimeter-centric

Traditional email gateways block known malware signatures at the perimeter. Proofpoint TAP (Targeted Attack Protection) is built around the idea that people are the target, not just the network. TAP tracks which users receive threats, which are most targeted (VAPs), and what threat families are being weaponised against them.

TAP sits inside the Proofpoint email security stack and adds two active defence layers — URL Defense (rewriting and time-of-click analysis) and Attachment Defense (sandbox detonation) — plus predictive URL Defence that pre-analyses suspicious links before any click. Every verdict feeds the Threat Insight Dashboard for campaign-level forensics.

Figure 1 — TAP end-to-end email defence flow
Every inbound message passes through URL rewriting and attachment routing before delivery — and every click is re-evaluated in real time.TAP end-to-end email defence flowInbound emailarrives at MTAURL rewritelinks wrapped by TAPAttach sandboxNexus detonationDeliver / holdclean to inboxClick checktime-of-click verdict
Every inbound message passes through URL rewriting and attachment routing before delivery — and every click is re-evaluated in real time.
Quick check · Q1 of 10 · Understand

What distinguishes Proofpoint TAP from a standard email gateway?

Correct: c. TAP adds URL Defense (rewriting + time-of-click sandboxing), Attachment Defense (Nexus detonation), predictive URL Defence and people-centric analytics — far beyond gateway spam filtering.
👉 So far: TAP is people-centric email defence: it tracks which users are targeted (VAPs), adds URL rewriting and attachment sandboxing on top of the gateway, and ties every verdict into campaign-level forensics.

② URL Defense — rewrite, time-of-click & predictive analysis

URL Defense rewrites every URL in inbound email, replacing the original link with a Proofpoint proxy URL. When the user clicks, the proxy fetches the destination in a real-time cloud sandbox, scores the page and either passes the click through or blocks it with an interstitial warning — all within milliseconds. This catches time-of-click threats: URLs that were benign at delivery but turned malicious by the time a user clicks hours or days later.

Predictive URL Defence

Predictive URL Defence goes further: TAP analyses email-traffic patterns and sandboxes suspicious URLs before any user clicks, flagging links that share infrastructure or behaviour patterns with known campaigns. If the pre-sandbox verdict is malicious, the rewritten URL is blocked the moment anyone clicks, even on the first recipient. This closes the gap between delivery and the first click — the window where most zero-hour phishing succeeds.

Figure 2 — Three URL protection layers
TAP applies three complementary layers so a malicious URL is caught before, during and after delivery.Three URL protection layersPredictive defencepre-click sandbox from traffic patternsTime-of-clickreal-time sandbox on every user clickURL rewritingwraps all links for proxy evaluation
TAP applies three complementary layers so a malicious URL is caught before, during and after delivery.
🔗
URL Rewriting
tap to flip

TAP replaces every link in inbound email with a Proofpoint proxy URL so that clicks can be evaluated in real time, catching URLs that turn malicious after delivery.

⏱️
Time-of-Click
tap to flip

When a user clicks a rewritten URL, TAP sandboxes the destination in milliseconds and blocks it with a warning if the page is now malicious — even if it was clean at delivery.

🔮
Predictive URL Defence
tap to flip

TAP analyses email-traffic patterns and sandboxes suspicious URLs before any user clicks, using infrastructure and behavioural signals to catch zero-hour phishing proactively.

💣
Attachment Detonation
tap to flip

Suspicious files are routed to the Proofpoint Nexus cloud sandbox, executed in isolation and watched for malicious behaviours. Malicious verdicts quarantine the message before it reaches the inbox.

Rewrite ≠ block — it enables time-of-click

URL rewriting is not itself the protection — it is the mechanism that lets TAP re-evaluate the destination the moment someone clicks. Without the rewrite, TAP has no hook at click time. Always explain these as two separate things in an interview: the rewrite (delivery-time) and the time-of-click sandbox (click-time).

Quick check · Q2 of 10 · Apply

A phishing URL was clean when the email arrived but redirected to a credential harvester two hours later. Which TAP feature catches it when a user finally clicks?

Correct: a. Time-of-click evaluation re-evaluates the rewritten URL the moment the user clicks — even two hours after delivery — catching URLs that turned malicious after the initial MTA scan.
👉 So far: URL Defense = rewrite at delivery + time-of-click sandbox on every click + predictive pre-click analysis. Three layers, one protection chain — catching URLs that turn malicious long after the email arrived.

③ Attachment Defense — Nexus sandbox detonation

Attachment Defense routes suspicious attachments to the Proofpoint Nexus cloud sandbox for detonation before the message is delivered. The sandbox executes the file in an isolated environment, watches for malicious behaviours (network callbacks, registry changes, process injection, file drops), and returns a verdict: clean, suspicious or malicious. Clean files are delivered normally; malicious files are quarantined and an alert is raised.

TAP uses a combination of static analysis, dynamic detonation and threat-intelligence lookups so that known-bad files are caught quickly and novel samples go through full detonation. The attachment analysis is also correlated with URL Defence — a document containing an embedded URL that detonates maliciously triggers both attachment and URL verdicts, giving analysts the full attack chain in one forensic record.

Figure 3 — Nexus sandbox verdict sources
Attachment Defense combines multiple analysis engines to reach a high-confidence verdict before delivery.Nexus sandbox verdict sourcesNexus sandboxverdict engineStatic analysisDynamic detonationThreat intel lookupEmbedded URL checkBehaviour watch
Attachment Defense combines multiple analysis engines to reach a high-confidence verdict before delivery.
Assuming sandbox = slow delivery

A common misconception is that sending every attachment to a sandbox introduces unacceptable delays. Proofpoint TAP uses static analysis and threat-intel lookups for known-bad files (fast path) and only routes genuinely ambiguous files through full dynamic detonation. Most clean attachments are released within seconds, not minutes.

▶ Watch a phishing email get neutralised end-to-end

Step through how TAP handles a credential-phishing email with a rewritten URL. Press Play for the healthy block path, then Break it to see the classic bypass.

① Email arrivesA phishing email with a credential-harvesting URL lands at the Proofpoint MTA. TAP rewrites the link with a proxy URL before passing the message to the inbox.
② User clicksTwo hours later the user clicks the rewritten URL. TAP intercepts the click and immediately routes the destination to the cloud sandbox.
③ Sandbox verdictThe sandbox fetches the page, detects a fake login form harvesting credentials, and returns a malicious verdict within milliseconds.
④ Block + alertThe user sees a TAP block page. An alert is raised in the Threat Insight Dashboard with forensics — domain, IP, campaign association, and all other recipients.
Press Play to step through the healthy block path. Then press Break it.
Quick check · Q3 of 10 · Remember

What is the Proofpoint Nexus sandbox used for in TAP?

Correct: b. The Nexus sandbox executes suspicious attachments in an isolated environment, watching for network callbacks, registry changes, process injection and file drops before deciding to deliver or quarantine.
👉 So far: Attachment Defense routes suspicious files to the Nexus cloud sandbox for static analysis, dynamic detonation and threat-intel correlation. Malicious verdict = quarantine before delivery; clean = immediate release.

④ Threat Insight Dashboard — campaigns, forensics & VAPs

The TAP Threat Insight Dashboard is the single pane that ties every TAP verdict into campaign-level intelligence. It shows which users were targeted (including VAPs), the threat family (phishing, malware, BEC), attack screenshots, forensic indicators (IPs, domains, payload hashes), and campaign timelines. You can drill from a campaign down to every affected mailbox in the organisation.

Integrations and SIEM export

The dashboard exposes a SIEM API that streams TAP events into Splunk, Microsoft Sentinel or any compatible platform. TAP also integrates with Proofpoint TRAP (Threat Response Auto-Pull) to automatically retract malicious messages already delivered — closing the loop from detection to remediation without manual analyst action.

Figure 4 — URL Defense vs Attachment Defense
Both layers feed the same Threat Insight Dashboard but protect against different attack vectors.URL Defense vs Attachment DefenseURL DefenseRewrites all links at deliveryTime-of-click sandbox on everyPredictive pre-click analysisCatches late-turning phishing URLsAttachment DefenseDetonates files in Nexus sandboxStatic + dynamic analysisQuarantines malicious beforeCorrelates embedded URLs in docs
Both layers feed the same Threat Insight Dashboard but protect against different attack vectors.

Priya at a Mumbai-based fintech firm faces this

Several employees report clicking a link in what looked like an IT helpdesk email. The link appeared safe at delivery but later redirected to a credential harvester. TAP URL Defense is deployed but the security team is unsure how to assess the damage.

Likely cause

The phishing URL used a redirect chain that was inactive at delivery time — defeating the MTA scan — and only armed two hours after the email landed in inboxes.

Diagnosis

Open the TAP Threat Insight Dashboard ▸ search the rewritten URL ▸ view campaign tab to see all users who clicked. Check forensic indicators for the redirect domain and landing page.

Threat Insight Dashboard ▸ Campaigns ▸ URL forensics ▸ Impacted users
Fix

Retract remaining unclicked copies with Proofpoint TRAP. Block the landing-page domain in the web gateway. Reset credentials for every user who clicked. Verify that predictive URL Defence is enabled to catch similar redirect chains before the first click next time.

Verify

Re-check the Dashboard: the campaign is marked contained, no further clicks recorded, and impacted users have been remediated with new credentials.

Use the Dashboard before escalating

Before raising a P1 incident, open the Threat Insight Dashboard and check the campaign view. It will tell you exactly how many users were targeted, how many clicked, the full forensic chain (IPs, domains, payload hashes) and whether TRAP has already retracted copies. This single read eliminates most of the guesswork in an email-threat triage.

Quick check · Q4 of 10 · Analyze

An analyst needs to see every user who received a specific phishing campaign and the full attack forensics in one view. Where in TAP does this information live?

Correct: d. The Threat Insight Dashboard aggregates all TAP verdicts into campaign-level intelligence including impacted users (VAPs), attack screenshots, forensic indicators (IPs, domains, hashes) and campaign timelines.
👉 So far: The Threat Insight Dashboard shows campaign forensics, VAPs, attack screenshots and SIEM-exportable indicators. Integrate with TRAP for automatic retraction of already-delivered malicious messages.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

What does TAP do to every URL in an inbound email at delivery time?

Correct: c. TAP URL Defense rewrites every URL at delivery with a Proofpoint proxy URL so that the destination can be evaluated in real time when the user clicks — regardless of when that click happens.
Q6 · Understand

Predictive URL Defence differs from time-of-click protection because it…

Correct: b. Predictive URL Defence proactively sandboxes URLs based on email-traffic pattern analysis and infrastructure signals before the first user click, whereas time-of-click fires at the moment a user actually clicks.
Q7 · Apply

A security analyst notices a Word document delivered to 40 users contains an embedded URL that later redirected to malware. Which TAP feature produces a combined attachment-and-URL forensic record?

Correct: a. When Attachment Defense detonates a document, it also evaluates embedded URLs; a malicious embedded URL triggers both an attachment verdict and a URL verdict, giving analysts the full attack chain in one forensic record.
Q8 · Analyze

Why does bypassing or stripping TAP URL rewriting create a critical security gap?

Correct: d. The rewrite is the hook that lets TAP intercept clicks. Without it, users follow the original URL directly and TAP has no mechanism for time-of-click sandboxing or blocking — a late-arming phishing URL reaches the user undetected.
Q9 · Evaluate

Which TAP feature should you enable to give security analysts automated retraction of phishing emails already delivered to inboxes?

Correct: c. Proofpoint TRAP (Threat Response Auto-Pull) automatically retracts malicious messages from all affected mailboxes when TAP raises an alert. SIEM export and sandboxing priority do not perform retraction; Predictive URL Defence only prevents future clicks.
Q10 · Evaluate

An interviewer asks you to explain why TAP's Attachment Defense does not add significant delivery delays for clean files. What is the best answer?

Correct: b. TAP applies a fast path — static analysis plus threat-intelligence lookups — to known-good or known-bad files, reserving full dynamic detonation for ambiguous samples. This keeps delivery times low for the majority of clean attachments.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: why does TAP rewrite URLs at delivery rather than just scanning them once and being done? Then compare with the expert version.

Expert version: Scanning at delivery only catches URLs that are already malicious at that moment. Attackers deliberately arm URLs after delivery — the link is benign at scan time and redirects to a phishing page hours later. By rewriting every URL with a proxy link, TAP gains a hook at click time: regardless of when the user clicks, TAP sandboxes the destination in real time and blocks it if it has turned malicious. The rewrite is not itself the protection — it is the mechanism that makes time-of-click evaluation possible.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

URL Defense
The TAP feature that rewrites every inbound URL with a Proofpoint proxy link, enabling real-time sandboxing at the moment of each user click.
Time-of-Click Protection
TAP re-evaluates a rewritten URL in a cloud sandbox the moment a user clicks — catching URLs that were clean at delivery but turned malicious later.
Predictive URL Defence
TAP proactively sandboxes suspicious URLs based on email-traffic patterns and infrastructure signals before any user click, closing the zero-hour phishing window.
Attachment Defense
TAP routes suspicious attachments to the Proofpoint Nexus cloud sandbox for static analysis and dynamic detonation before delivery; malicious files are quarantined.
Nexus Sandbox
Proofpoint's cloud-based detonation environment that executes suspicious files in isolation and watches for malicious behaviours such as network callbacks and process injection.
Threat Insight Dashboard
The TAP web interface showing campaign-level forensics, impacted users (VAPs), attack screenshots, forensic indicators and SIEM-exportable event data.
Very Attacked Person (VAP)
A user who receives a disproportionate share of targeted attacks, surfaced by TAP in the dashboard to guide prioritised security controls.
TRAP (Threat Response Auto-Pull)
A Proofpoint capability that automatically retracts malicious messages from all affected mailboxes when TAP raises an alert, completing the detect-and-remediate loop.

📚 Sources

  1. Proofpoint — Targeted Attack Protection data sheet. proofpoint.com/sites/default/files/proofpoint_tap-datasheet-a4.pdf
  2. Proofpoint UK — Targeted Attack Protection product page: URL Defense, Attachment Defense, predictive analysis. proofpoint.com/uk/products/advanced-threat-protection/targeted-attack-protection
  3. Proofpoint Legal — Data Privacy Information Sheet: Targeted Attack Protection. proofpoint.com/us/legal/trust/targeted-attack-protection
  4. University of Washington IT — Proofpoint Targeted Attack Protection URL Defense guide. it.uw.edu/guides/email-calendaring/protecting-your-email/proofpoint-target-attack-protection/
  5. Proofpoint Help — SIEM API documentation for TAP Threat Insight Dashboard. help.proofpoint.com/Threat_Insight_Dashboard/API_Documentation/SIEM_API
  6. Proofpoint — Resolving TAP Alerts with Threat Response Auto-Pull (TRAP) data sheet. proofpoint.com/sites/default/files/pfpt-us-ds-tap-alerts.pdf

What's next?

Got TAP covered? Next, explore Proofpoint TRAP (Threat Response Auto-Pull) to see how TAP alerts trigger automatic quarantine of already-delivered malicious messages across the whole org.

Next · All interview lessons → Practice on exam.techclick.in →