How does TAP’s Message Defense feature work for unknown attachments?

The correct answer is D. It detonates suspicious attachments in a sandbox to analyze their behavior . Proofpoint’s Targeted Attack Protection material explicitly says that unknown attachments are analysed and sandboxed . Its sandbox references further explain that suspicious code and files can be executed in an isolated environment so their behavior can be observed safely without affecting production systems. That is exactly what this question is describing.

This is one of the defining ideas behind advanced attachment defense. Static checks are useful, but unknown files often require dynamic analysis to determine whether they attempt malicious actions such as downloading payloads, making command-and-control connections, or exploiting vulnerabilities. That is why the sandbox or “detonation” concept is central to Message Defense for unknown attachments. The other options are incorrect because TAP does not restrict itself to PDFs, does not simply delete all external attachments by default, and does not rely only on a safelist decision to allow attachments through. Instead, it uses a deeper analysis path for suspicious unknown content. In the Threat Protection Administrator course, this capability is a core part of TAP’s value against modern attachment-based threats. Therefore, the verified answer is D