What is Email Sandboxing?

Email sandboxing improves protection against spear phishing, advanced persistent threats (APTs), and emails that contain attachments with malicious code or malware. Here we explain what email sandboxing is, why a sandbox for email is now vital, and how you can implement email sandboxing to better secure your business against email-based cyberattacks.

How is Malware Delivered via Email?

Malware can be installed in several ways, but email is one of the most common attack vectors. An email is sent to an individual that includes an attachment that has malicious code which, if executed, will result in the installation of malware. That could be in a one-step process, or more commonly, in multiple stages. Alternatively, a hyperlink could be included in the message body or within an attachment. If that link is clicked, the user will be directed to a malicious site where a malicious file is downloaded.  Social engineering techniques are used in the emails to trick recipients into taking that action that will result in a malware infection.

How does an Email Sandbox Block Malware?

Email security solutions employ a variety of mechanisms for identifying and blocking malicious emails. For instance, they include constantly updated blacklists of IP addresses that have previously been identified as being used to send malicious emails. Scans are conducted of the message header and message body to identify data associated with malicious emails; however, the main method that is used to identify malware in emails is an anti-virus engine. Email attachments are scanned using these AV engines, which are very effective at identifying and blocking malware.

The problem with AV engines is they are based on malware signatures. When malware is identified, its signature is loaded into the definition lists of AV engines which allows that malware to be detected. That means AV engines are effective at blocking known malware, but not variants of malware that have not previously been found, analyzed, and have a known signature. While new malware variants used to be released slowly, today, huge numbers of variants of the same malware are released to evade signature-based detection mechanisms. Dozens of variants of each malware are released daily, and while AV engines are updated constantly, there is a lag between a new malware variant being released and its signature being included in the malware definition lists.

What is Email Sandboxing?

Email sandboxing is a security feature that helps to identify and block these new threats, often referred to as zero-day or zero-hour threats. They are thus called because they are threats that have not been seen before and do match any known malware signatures. Sandboxing is needed to block these threats. A sandbox is an isolated test environment where files can be safely opened without causing any damage. The sandbox is a secure environment that mirrors a standard endpoint, so as far as the attackers are concerned, their malware has been executed on a normal computer and the standard infection routine will proceed.

Email Sandboxing




The sandbox includes machine learning and behavioral analysis technologies and emulation tools that assess all actions taken by any file that is opened in the sandbox. If the file is benign, such as a Microsoft Word document without any malicious code, the file will pass the checks and the email, along with its attachment, will be delivered to the recipient’s inbox. If malicious code is identified, the message will be rejected, quarantined, or deleted. The same applies to emails with hyperlinks. Within the sandbox, those hyperlinks are followed and tested. Any files downloaded as a result of clicking the link will also be analyzed in the sandbox.

Quarantining messages rather than rejecting or deleting them is useful as there is a risk of false positives, where benign attachments are mistakenly classified as malicious. Security teams can manually check the messages in the quarantine folder and can release them if they are benign. They can also conduct further investigations of malicious emails.

The threat landscape is constantly changing, and new malware is being released at a considerable rate. Email sandboxing greatly increases the detection rate of elusive threats at the pre-execution stage, including APTs, targeted attacks, evasion techniques, obfuscated malware, custom malware, and ransomware, and is a vital component of email security solutions, although not all email security solutions include a sandbox.

The Benefits of Email Sandboxing

Email Sandbox has a number of advantages:

  • It detects advanced attacks early and prevents breaches, reducing incident response costs and efforts
  • It reduces threat-hunting burden – sandboxing prevents your operating systems from being exposed to potential threats.
  • There is no conflict between the sandboxing environment and your operating system
  • It greatly increases the detection rate of elusive threats in the pre-execution stage, including APTs, targeted attacks, evasion techniques, obfuscated malware, custom malware, and ransomware
  • It ensures continuous protection and maximum performance against rapidly evolving advanced threats.
  • If you have existing email filtering solutions in place, sandboxing functions as a complementary solution – providing you with even more added protection.

SpamTitan Email Sandboxing

SpamTitan is a suite of advanced email security solutions from TitanHQ that includes a gateway email security solution that is delivered as a virtual appliance for installation on existing hardware, or as a cloud-based service with multiple hosting options. SpamTitan products include dual antivirus engines for detecting known malware threats and a next-generation Bitdefender-powered sandbox for detecting zero-hour threats. The sandbox includes award-winning machine learning and behavioral analysis technologies and emulation tools for safely detonating attachments where they can cause no harm.

All emails pass through SpamTitan where they are subjected to a series of checks using TitanHQ’s award-winning anti-malware technologies. SpamTitan includes strong machine learning, static analysis, and behavior detection technologies, and the checks are conducted quickly so as not to delay the delivery of genuine emails. Any email that passes the email filtering mechanisms that is found to contain a suspicious link or attachment is directed to the sandbox for in-depth analysis.

If a malicious email is detected, it will be quarantined, and the threat information will be sent to the Bitdefender Global Protective Network cloud threat intelligence service. That means all other endpoints connected to the Bitdefender Global Protective Network will be protected. If the file or link is encountered again, it will not need to be passed through the email sandboxing feature again as the message will be automatically blocked. The threat intelligence network consists of more than 650 million endpoints worldwide, which is part of the reason why SpamTitan email sandboxing achieves the highest detection rates.

Try SpamTitan Email Security with Sandboxing Free of Charge

If you want to improve email security, you need an email security solution with email sandboxing. To find out for yourself how easy SpamTitan is to set up and use to better protect your email environment, we invite you to try the solution for 30-days on a no-obligation 100% free trial.

How Email Sandboxing works in SpamTitan


What is the email sandboxing process?

The email sandboxing process is, when an email arrives at an organization’s email server, it is first scanned by an email filter for known malicious content. If the email filter does not find any malicious content, the email is then sent to a sandbox for further analysis. The sandbox analyzes the email for malicious content using techniques such as file scanning, behavior analysis, and machine learning. If a threat is found, the email is quarantined and an email sent to system administrators.

What are the benefits of email sandboxing?

The benefits of email sandboxing include protection from malicious content, improved accuracy of email filtering, a reduced number of false positives, and a reduced risk of data breaches. It is also important to be aware that SpamTitan supports “time-of-click” analysis so that, if a link in an email passes the sandboxing tests, but is later weaponized, the SpamTitan web filter will prevent the user accessing the malicious website.

What are the best practices for effective email sandboxing?

The best practices for effective email sandboxing include deploying an email filter supplied by a reputable provider, configuring the sandboxing capability to meet the specific needs of the organization, monitoring the capability’s output for false negatives and false positives, and educating the workforce to report email-borne threats that evade detection by the sandboxing capability.

Are there any disadvantages of email sandboxing?

There are disadvantages of email sandboxing – the primary one being that the delivery of legitimate emails can be delayed due to the inspection process. While this consideration can be overcome by whitelisting emails from trusted sources (so they bypass the inspection process), this solution does not scale well because trusted sources’ email accounts can be compromised.

Another disadvantage is that email sandboxing can provide a false sense of security. If users believe every email is going through the sandbox process, they may not be so diligent about how they interact with emails. SpamTitan is aware of this risk and includes “time-of-click” URL analysis among its robust security features.

How does sandboxing improve an organization’s email security strategy?

Sandboxing improves an organization’s email security strategy by providing an additional layer of defense against previously unknown and emerging threats that may evade traditional security measures. Email sandboxing reduces the risk of successful attacks by isolating potentially malicious content; and, by investigating the content of the email, organizations get valuable insights into the behavior and characteristics of the malicious content – aiding in threat intelligence and future prevention efforts.