Read Delivered Malicious Messages

Fetch events for messages delivered in the specified time period which contained a known threat.

The events returned for a specified range are based on the time that the event was created, not the time that the event occurred. The time that an event is created is the later of the following:

  • the time that the message was sent

  • the time that the threat referenced by the message was recognized by Proofpoint

The input fields in this card are dynamically generated based on your instance.

Required fields are indicated in red.

Unless otherwise mentioned, all fields are text.


  • Range Type (dropdown): choose from available ranges



  • Interval (date): time interval to query in ISO 8601 format. The minimum interval allowed is 30 seconds and the maximum interval is 1 hour.

  • Since Time (date): start time of query in ISO 8601 format. The end of the period is the current API server time rounded to the nearest minute.

  • Since Seconds Ago (number): set start time of query to this many seconds before the current API server time (rounded to the nearest minute)


  • Query End Time (date): time the period being queried ended

  • Messages (object)

    • Spam Score (number): message's spam score

    • Phish Score (number): message's phish score

    • Impostor Score (number): message's imposter score

    • Malware Score (number): message's malware score

    • Threats Info Map (array): array of structures containing details of threats found in the message

    • Sender: email address of sender; user-part is hashed and domain-part in plaintext

    • Recipient: email addresses of the recipients

    • Sender IP: IP address of sender

    • Message ID: non-unique Message-ID extracted from headers of the email message

    • Message Time (date): time when message was delivered to user or quarantined

    • Message Size (number): size of message in bytes

    • ID: UUID of the event

    • QID: queue ID of the message in PPS

    • GUID: unique ID of message in PPS

    • From Address: email address extracted from the From: header of the message, excluding friendly name

    • cc Addresses: list of email addresses from the CC: header, excluding friendly names

    • Reply To Addresses: email address from the Reply-To: header, excluding friendly name

    • To Addresses: list of email addresses from the To: header, excluding friendly names

    • Header From: full From: header, including any friendly name

    • Header Reply To: full Reply-To: header (if present), including friendly name

    • Completely Rewritten: rewrite status of message

    • Cluster: name of the PPS cluster that processed the message

    • Subject: subject line of the message

    • Quarantine Folder: name of folder that contains the quarantined message

    • Quarantine Rule: name of rule that quarantined the message