Typical text of the alert:
xx email provider entries at the user level
What the alert means:
It means you have a user in your organization that has trusted *@gmail.com or *@hotmail.com, any of the big "Free" Email providers.
As you may or may not know, most phishing will have a reply-to address or a from: address that goes to a throw-away mailbox created on a free email service.
If your user trusts [email protected], then it's much likelier that a phishing message will be allowed in.
If you need to clean the entry up, just click on the alert:
Click on "Go To Settings" and it will bring you to the proofpoint page containing the user's sender list and you can thus edit the sender list and remove the offending entry.
You can also bulk remove all the offending entries by going to VircomPortal and click on "Clean Safe Senders"