What is Email Sandboxing?

Email sandboxing improves protection against spear phishing, advanced persistent threats (APTs), and emails that contain attachments with malicious code or malware. You could lose valuable email messages if you set filters to automatically delete suspicious messages. Hence, an email sandbox instead intercepts a suspicious message and stores it in a safe location. The sandbox is inaccessible to users, and the email message cannot affect the business network while it’s stored in the sandbox. Email sandboxing improves protection against spear phishing, advanced persistent threats (APTs), and emails containing malicious code or malware attachments. The sandboxed location is safe to store suspicious email messages until an administrator can review them. Any false positive messages can then be sent to their respective recipient inboxes. Genuine positive messages can be further investigated to determine if the business is the target of an email-based threat.

How Email Sandboxing Works in SpamTitan

If you’re looking for an anti-spam solution to protect your business from nuisance messages and potential malware, TitanHQs SpamTitan has several benefits and advanced technology that fits every industry. Administrators can deploy SpamTitan within minutes and immediately begin protecting their infrastructure and users from unwanted email messages.

How is Malware Delivered via Email?

Malware can be installed in several ways, but email is one of the most common attack vectors. In a phishing attack, an email is sent to an individual that includes an attachment containing malicious code, which, if executed, will result in the installation of malware. The attack could be a one-step process or a more advanced two-stage approach where the attachment contains code to download the final payload. Another strategy incorporates embedded links in an email message to direct users to an attacker-controlled website. If the malicious link is clicked, corporate users will be directed to a malicious site where they could be tricked into downloading malware or divulging their corporate network credentials.

Usually, in a two-stage attack redirecting users to an attacker-controlled site, the website looks similar to a familiar business. For example, the website could look like a Google product to trick users into trusting the download. Installation of the executable could create backdoors for additional malware attacks, leave the user’s machine open to remote control, run data eavesdropping software in the background of the machine to send to cyber-criminals, and many other compromises that could be devastating to the business.

How Does an Email Sandbox Block Malware?

Email security solutions employ a variety of triggers for detecting threats and blocking them from accessing user inboxes. For instance, it’s common for threat intelligence agencies to aggregate server IP addresses known for sending malicious email messages. Email security software keeps an updated record of malicious email server IP addresses and uses the blocklist to automatically sandbox any messages sent from one of these email servers. The IP address of a sender’s email server is stored in message headers, so it’s a part of a message’s data.

Another strategy is to scan attachments and messages as the recipient’s email server receives them. Email security installed on email servers uses antivirus applications to monitor message content and attachments, adding another protection layer for businesses. If antivirus software detects a potential threat in an email message, the message is sent to the email security system’s sandbox. In the sandbox, the attachment cannot affect the business environment, and administrators can review the threat to understand the attacker’s goal and strategy.

Antivirus scans are beneficial if the email content contains a known threat. However, threat authors continually revise their malware programs to bypass antivirus detection. Antivirus software detects threats based on a signature. When an author revises their code, the signature changes and doesn’t match the previous code’s signature. An antivirus program scanning email attachments helps stop known threats but cannot identify new malware or zero-day threats.

Antivirus does not detect new unseen threats in the wild, and malware authors create variants of their software. The slight changes bypass antivirus detection and avoid detection from some monitoring systems. Businesses must then defend against dozens of variants that act similarly to previous threats, but code changes make them undetectable in older ineffective cybersecurity infrastructure.

Advanced technology included in SpamTitan uses more effective strategies for identifying malicious attachments. Artificial intelligence (AI) in SpamTitan identifies zero-day threats and uses various models to detect a threat rather than rely on a database of malware signatures. Blocking known malicious email servers’ IP addresses, are also incorporated.

What is Email Sandboxing?

Email sandboxing is a security feature that helps to identify and block these new email-based threats. Any unseen exploits in the wild are called zero-day threats or zero-hour threats. Zero-day threats get their name from old antivirus companies for having no signatures until they’re analyzed. With AI-driven email security, zero-day threats are identified using numerous triggers and data contained within messages, including their headers.

After email security identifies a threat, it must send messages to a safe location. The sandbox is a segmented storage location where malware cannot reach the internal network. Malware can be stored without affecting the internal network, and administrators can review it without affecting their devices. Security analysts use these sandboxed executables to research zero-day threats and identify their attack mode.

Included with the SpamTitan sandbox is machine learning automation to perform behavioral analysis. The analysis can determine how sandboxed malware behaves so that the research can be reported to others to help stop any critical global downtime from sophisticated ransomware or other malicious activity. All machine learning and analysis are done in the sandbox so that malicious messages do not affect the business environment.

Executable files aren’t the only content analyzed in a SpamTitan sandbox. Other file types can also contain malicious code, including scripts or Microsoft documents. Microsoft documents allow users to write Visual Basic code in macros. These macros can connect to the internet and download malware with additional payloads. Microsoft Word and Excel are commonly used to trick users into opening email attachments and running macros. The macros download ransomware and install the malware on the local user’s machine. A sandbox system protects users from these files and their macros, and machine learning scans help security researchers identify the payload and malicious code.

The quarantined section of an email server avoids data loss after a false positive. False positives are incorrectly flagged messages. A sender might forward a message containing a link to a questionable site, and this site might be legitimate. If the email security system automatically deletes the message, it never reaches the recipient’s inbox. Unseen important messages incorrectly flagged and deleted could cause severe communication issues between businesses and customers.

Quarantining messages gives security researchers more time to understand an ongoing attack and build tools to stop them. Some sophisticated attacks, including ransomware, use email as their delivery method. In a sandboxed quarantine, researchers can review delivery methods and payloads to gain insight into the malware’s goals and potentially identify the author. Usually, sophisticated attacks involve multiple cyber-criminals working in groups to target businesses and governments.

Using a sandbox protects users from malware but avoids deleting data in case of false positives. It’s two of the most important benefits of email security. Also, email filters like SpamTitan can stop nuisance messages from taking up expensive storage space on the network. Storage costs money, and spam messages can quickly fill up storage space. Nuisance messages fill up a sandbox, but they can then be deleted to restore storage capacity for legitimate messages.

The Benefits of Email Sandboxing

Protecting employees from malicious email messages is just one apparent benefit of email filters, but adding a layer of security to your digital communications has several other unapparent benefits. Email filtering software benefits the business but can also help email administrators, security professionals, and other staff members responsible for protecting corporate data and business infrastructure.

A few other benefits of an email sandbox include:

  • Early detection of advanced attacks, prevention of data breaches, and reducing incident response costs and investigations.
  • Reduction of threat-hunting activities to find the latest cyber-criminal activity and zero-day malware.
  • Prevention of server and endpoint operating systems from being exposed to email-based threats.
  • Ease of integration with your operating system environment using cloud implementations.
  • Automatically stop threats before they execute on the business environment, including advanced persistent threats, targeted phishing attacks, malware evasion strategies, obfuscated executables, malware variants, customized malicious code, and ransomware.
  • Continuous protection using artificial intelligence and machine learning against evolving advanced persistent threats.
  • Cost savings from removal of spam and other nuisance messages that exhaust storage capacity unnecessarily.
  • Cloud-based solutions make integrating an email sandbox into your email processes easy without making extensive changes to infrastructure configurations.
  • Defend against threats that could compromise business assets and cause critical data breaches.
  • Stay compliant with the latest regulations and avoid hefty fines for violations.

Every midsize to enterprise business gets thousands of targeted messages towards employees. Employees are a company’s weakest link, and phishing messages are incredibly effective. Having a sandbox environment benefits your security strategies two-fold: it protects your users from being a point of weakness in cyber defenses and gives your security people a way to evaluate an attack to prepare and notify users.

Not every email filtering solution has a sandbox, but SpamTitan includes a sandbox to help security researchers better understand ongoing attacks. The artificial intelligence and machine learning included with the SpamTitan products also speed up identification of attacks, especially if other researchers have yet to see a particular attack strategy or exploit in the wild.

It’s important to note that a good security strategy is built in layers. Email filtering solutions are just one layer. A sandbox environment included with an email filtering solution is another layer and an added benefit. Every organization should maintain additional security infrastructure on the network environment, including antivirus and antimalware as a failsafe, monitoring software to detect any suspicious network activity, and intrusion prevention to stop malicious activity on the network automatically. The sandbox environment included with SpamTitan is a complementary feature in email filtering security.

Security awareness training should also be included in your strategies. Should a malicious email bypass email security and filters, the security awareness training should allow employees to detect phishing and social engineering. Having several layers and security awareness training makes it much more difficult for cyber-criminals to compromise business systems and steal data.

SpamTitan Email Sandboxing

Only some email filtering solutions are built the same, and your choice for your email security should fit your business requirements. SpamTitan is more than a simple email filtering software. It’s an extensive suite of advanced email security features built by TitanHQ engineers for businesses that need better research and protection from zero-day threats. The sandbox also works on current threats; researchers can review them for any variants.

With the SpamTitan suite of products, businesses get advanced email security features, including a gateway where administrators can connect existing infrastructure. The gateway is a virtual appliance that connects your current email on-premises or cloud infrastructure to the SpamTitan email filtering software. Included with SpamTitan is an antivirus scanner that analyzes all email attachments as they flow to your employee inboxes. The SpamTitan antivirus scanner detects malicious malware or macros embedded into malicious documents.

The Bitdefender-powered sandbox scans and analyzes incoming email messages, and the integrated artificial intelligence can identify any zero-day threats. Since SpamTitan is cloud-based, the sandbox also sits in the cloud so that you do not have malicious code or documents on your network where it can be accidentally executed. The behavioral analysis helps security researchers or onsite staff determine the exact threat and potential motivation for targeted phishing, malware, and social engineering attacks. Sandboxing features let these security researchers and staff safely review threats without harming the business network environment.

When SpamTitan detects a threat, it immediately quarantines the email message and its attachments. Quarantined messages are sent to Bitdefender Global Protective Network cloud threat intelligence services. Threat intelligence services help businesses identify new threats, and security researchers pool their discoveries together so that zero-day threats are more quickly detected and cyber-defenses built to stop them.

Several large security groups and technology companies contribute to threat intelligence. The collaboration helps smaller businesses with no onsite security staff or researchers. Research collected from threat intelligence contributes to updates across all cybersecurity fields, and SpamTitan incorporates new research intelligence into its updates to stop the latest identified threats. The Bitdefender threat intelligence network consists of over 650 million endpoints worldwide, so the SpamTitan software leverages the work of numerous researchers around the globe.

Using artificial intelligence and threat research, the SpamTitan system automatically blocks any messages with the same threat. Messages with known threats bypass the sandbox environment, and SpamTitan blocks the message from reaching the intended recipient’s inbox.

If a malicious email is detected, it will be quarantined, and the threat information will be sent to the Bitdefender Global Protective Network cloud threat intelligence service. That means all other endpoints connected to the Bitdefender Global Protective Network will be protected. If the file or link is reencountered, it will not need to be passed through the email sandboxing feature again, as the message will be automatically blocked. The threat intelligence network consists of more than 650 million endpoints worldwide, which is why SpamTitan email sandboxing achieves the highest detection rates.

Try SpamTitan Email Security with Sandboxing Free of Charge

You need an email security solution with email sandboxing to improve email security. To learn how easy SpamTitan is to set up and use to protect your email environment better, we invite you to try the solution for 30 days on a no-obligation, 100% free trial.

How Email Sandboxing Works in SpamTitan

Using a more aggressive pre-filter than the regular AV engine, Bitdefender Antivirus determines if an email attachment should or should not be sent to the sandbox. If the engine recommends an attachment be sent to the sandbox, the following occurs:

If the email would not otherwise have been blocked by any other means, SpamTitan uploads the attachment to the sandbox, where it is assigned a job identifier.

SpamTitan queries the sandbox every fifteen seconds (for up to twenty minutes) to see if the job is complete. During this period, the message delivery status in History is ‘Sent to Sandbox.’

If no result is returned after twenty minutes, the file is marked as clean, and the email is passed.

If the sandbox returns that the attachment contains malware, the email is blocked as a virus with the virus name assigned as ATP.Sandbox. The message will be listed under Viruses in the relevant Quarantine report.

You can view emails that have been sandboxed by filtering them in History. Go to Reporting > History > Mail Filters and check ‘Sandboxed.’

If a message blocked as spam is released and originally marked as ‘Sent to Sandbox’, SpamTitan will re-scan the message against the Bitdefender Antivirus engine upon release. This may result in the message getting blocked or being sent to the sandbox.


What is the email sandboxing process?

The email sandboxing process is when an email arrives at an organization’s email server, an email filter for known malicious content first scans it. If the email filter finds no malicious content, the email is then sent to a sandbox for further analysis. The sandbox analyzes the email for malicious content using file scanning, behavior analysis, and machine learning techniques. If a threat is found, the email is quarantined, and an email is sent to system administrators.

What are the benefits of email sandboxing?

The benefits of email sandboxing include protection from malicious content, improved email filtering accuracy, a reduced number of false positives, and a reduced risk of data breaches. It is also essential to be aware that SpamTitan supports “time-of-click” analysis so that if a link in an email passes the sandboxing tests but is later weaponized, the SpamTitan web filter will prevent the user from accessing the malicious website.

What are the best practices for effective email sandboxing?

The best practices for effective email sandboxing include:

  • Deploying an email filter supplied by a reputable provider.
  • Configuring the sandboxing capability to meet the specific needs of the organization.
  • Monitoring the capability’s output for false negatives and false positives.
  • Educating the workforce to report email-borne threats that evade detection by the sandboxing capacity.

Are there any disadvantages of email sandboxing?

There are disadvantages of email sandboxing – the primary one being that the delivery of legitimate emails can be delayed due to the inspection process. While this consideration can be overcome by allowlisting emails from trusted sources (so they bypass the inspection process), this solution does not scale well because trusted sources’ email accounts can be compromised.

Another disadvantage is that email sandboxing can provide a false sense of security. If users believe every email goes through the sandbox process, they may need to be more diligent about how they interact with emails. SpamTitan knows this risk and includes “time-of-click” URL analysis among its robust security features.

How does sandboxing improve an organization’s email security strategy?

Sandboxing improves an organization’s email security strategy by providing an additional defense against previously unknown and emerging threats that may evade traditional security measures. Email sandboxing reduces the risk of successful attacks by isolating potentially malicious content, and, by investigating the content of the email, organizations get valuable insights into the behavior and characteristics of the malicious content – aiding in threat intelligence and future prevention efforts.