The Proofpoint Phishing Email Detected rule monitors email traffic for potential phishing attempts. The rule is triggered under specific conditions defined by Proofpoint, such as quarantining emails that have been flagged by the phishing rule, having a phishing score of 80 or above, or containing active threats identified in a threat map. The detection mechanism aggregates data from Proofpoint events to flag high-risk emails, which may impersonate legitimate entities to trick users into divulging sensitive information. When such an email is detected, the rule employs a severity level of 'High', indicating immediate attention is required to mitigate risks associated with credential theft or unauthorized access. Each detection leads to a follow-up action process structured to ensure rapid response, including password resets for affected users, blocking malicious sender domains, and reporting to anti-phishing authorities. The rule places strong emphasis on maintaining email security and protecting user identities from phishers who leverage social engineering tactics.