Proofpoint: URL Decoder

Updated 5 months ago by TruSTAR

This script decodes URLs from Proofpoint-scanned emails and appends them to Intelligence Reports so that they can be extracted and enriched by TruSTAR.

Proofpoint automatically rewrites all links in emails it scans to begin with When these emails are submitted to TruSTAR Enclaves, TRUSTAR cannot extract those URLs until they are decoded back to their original format.

Activating This Script

Contact your TruSTAR account manager and provide the following information:

  • Source Enclave ID(s)

Your account manager will then configure the script and then email you with confirmation that it has been enabled.

How It Works

  1. Searches the specified TruSTAR Enclave(s) for Intelligence Reports that have been added since the script was last run. The script runs every 15 minutes.
  2. Searches for urldefense URLs within those Reports and decodes them with the Proofpoint decoder utility.
  3. Appends those decoded URLs to the Report in a Decoded URLs section at the bottom of the Report.
  4. Updates the report in TruSTAR, which can now extract and enrich the decoded URLs same as any other Observable.

Any issues or questions about this script, contact

How Did We Do?