This detection rule identifies phishing attempts that impersonate Proofpoint secure messaging services. The focus is on messages that contain Proofpoint branding, such as the phrase "Secured by Proofpoint Encryption" or copyright claims, while simultaneously lacking legitimate Proofpoint secure sharing URLs or proper attachment indicators. The rule employs multiple checks to ensure detected emails do not contain links that are actually legitimate Proofpoint links, nor do they feature attachments that are typical of Proofpoint messages. These checks include regex evaluations of the message content, scrutiny of links' domains, as well as strict evaluation of attachments to catch fraudulent use of the Proofpoint brand. The high severity of this detection is appropriate due to the potential for credential phishing, making users vulnerable to attacks that exploit trust.