What is Malware Sandboxing for Email?

Malware sandboxing for email is now vital for email security. Suspicious files that pass AV checks are sent to the sandbox where they are safely detonated and subjected to behavioral analysis.

Email-based Cyberattacks are Increasing

Email is one of the most common initial access vectors used by cybercriminals. Initial access to victims’ networks is gained via two main methods: email attachments and embedded URLs. The first attack type involves emails with attachments that contain malicious code, such as macros. If the files are opened and the code is allowed to execute, it will trigger the download and execution of malware from a remote server, or in some cases, malware will be executed in the memory (fileless malware).

The other method, which is now more common since Microsoft started blocking macros in Office documents by default if they are received via the Internet, is for phishing emails to be sent that contain malicious URLs. These URLs may be added to the message body or be hidden inside documents. These URLs point to an Internet site that hosts malware which is silently downloaded when the link is visited or the user is tricked into installing the malware.

Businesses need to ensure they have adequate defenses to block email-based attacks. The first line of defense is an email security solution that will scan the message headers, message body, and attachments and perform reputation checks on the sender. Email security solutions use blacklists of malicious domains and IP addresses and will block messages from these domains and IPs if they have previously been used for phishing, scams, or malware distribution. Checks will be performed on URLs and the messages are searched for the signatures of spam and phishing content – words and phrases commonly used by threat actors. If these checks are failed, the messages will be quarantined.

To block malware, email security solutions scan email attachments using anti-virus engines, which search for the signatures of malware – specific parts of the malware code that have been identified in previous malware analyses. The anti-virus software is regularly updated, and new signatures are added when new malware variants are identified. While these scans will block all known malware if the signature for malware is not in the definition list, the file will not be classed as malicious, and the message will be delivered to the end user. Unfortunately, new malware variants are being released faster than ever before to get around signature-based detection. To block unknown malware another method is required – malware sandboxing for email.

Malware Sandboxing for Email

Advanced email security solutions include malware sandboxing for email. If an email attachment passes the standard checks and anti-virus scans, it is sent to a sandbox where the behavior of the file is analyzed. A sandbox is an isolated, secure environment where files can be opened and analyzed without risk. Any checks of the environment that are performed by malware when it is executed are often passed as the sandbox is created to look exactly like a real endpoint. Any actions performed by files when they are opened are analyzed in detail and if any checks fail, the file and email will be quarantined and all other copies of that email will be removed from the email system. These checks may take a few minutes to perform, so there will be a slight delay in delivering genuine emails.

SpamTitan, TitanHQ’s award-winning email security solution, includes a powerful next-gen sandbox that is powered by Bitdefender. The malware sandboxing service uses powerful emulation tools to ensure that files are inspected using real-time intelligence along with comprehensive detection techniques, which provide advanced threat protection and zero-day exploit detection. To avoid unnecessary email delivery delays, SpamTitan has strong machine learning, static analysis, and behavior detection technologies which ensure that only files that require further analysis get sent to the sandbox. If all sandbox checks are passed, the message will be delivered. If one or more checks are failed, the message will be quarantined, and the results passed to Bitdefender’s Global Protective Network. If that threat is encountered again, it will be recognized and will be quarantined immediately and will not need to get sent to the sandbox to be detonated again.

With SpamTitan malware sandboxing for email, businesses will be well protected against zero-day malware threats that would otherwise be delivered to inboxes. For more information give the TitanHQ team a call. SpamTitan with malware sandboxing for email is also available on a 14-day free trial.