The 'Proofpoint Malware Detected' rule is designed to alert security teams when Proofpoint's email security system detects malware in email messages. This rule triggers when an email is either quarantined due to a malware detection or when it exceeds a malware score threshold of 85. The primary log type monitored is 'Proofpoint.Event'. Upon detection, the rule outlines a structured response process: within the first hour, verify who interacted with the email and contain the threat by blocking the sender's domain or IP. If it's confirmed that malware has executed on affected endpoints, a swift escalation to the Incident Response (IR) team must occur. Notably, the rule incorporates tests to confirm if quarantine is correctly applied and verifies high malware score entries. The status of this rule is currently experimental, reflecting its ongoing development and testing phases, and it belongs to categories such as email security and phishing defenses.