Set up rules to detect harmful attachments

Gmail Security Sandbox

Supported editions for this feature: Business Standard and Business Plus; Enterprise Standard and Enterprise Plus. Compare your edition

Antivirus applications or tools can sometimes miss email attachments containing malicious software or files. Gmail can help identify these attachments by scanning them in a virtual environment called Security Sandbox. Security Sandbox scans files directly attached to messages and files inside archive attachments, for example zip or rar files. Supported attachment types in Security Sandbox include Microsoft executables (.exe), Microsoft Office, and PDF. 

Note: Security Sandbox scanning can delay message delivery by up to 3 minutes, although scans might be completed in less time.

Security Sandbox lets you create rules to specify which attachments are scanned. For example, you can scan attachments that contain words that you specify, that come from certain senders, or that are sent from outside or from within domains that you specify.

Messages with suspicious attachments sent to spam

When Security Sandbox identifies a message with suspicious or malicious attachments, the message is automatically sent to the recipient's spam folder. Google saves information about the attachment to improve security in other Google products.

Optionally, you can quarantine harmful software attachments detected by Security Sandbox instead. Create a content compliance rule with the spam metadata attribute.

The default setting for Security Sandbox is Off.

Security Sandbox setting options

Scan all attachments
 

As an administrator, you can set up Gmail to scan all email attachments in Security Sandbox. This setting is off by default.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Appsand thenGoogle Workspaceand thenGmailand thenSpam, Phishing and Malware.
  3. Select the organizational unit you want to configure settings for. If you want to configure settings for everyone, select the top-level unit. Or, select one of the child organizational units.
  4. Scroll to Security sandbox in the Spam, Phishing, and Malware section. Security Sandbox rules are at the bottom of this section.
  5. To scan all attachments, check the Enable virtual execution of attachments in a sandbox environment... box.

    Note: When this box is checked, all attachments are scanned in the Security Sandbox, even if you set up specific sandbox rules.

  6. At the bottom of the page, click Save

Changes can take up to 24 hours but typically happen more quickly. Learn more

Scan attachments based on rules you create (all rules options)

Add rules to specify which messages are scanned.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Appsand thenGoogle Workspaceand thenGmailand thenSpam, Phishing and Malware.
  3. Select the organizational unit you want to configure settings for. If you want to configure settings for everyone, select the top-level unit. Or, select one of the child organizational units.
  4. In the Spam, Phishing and Malware section, under Security Sandbox, clear the Enable virtual execution of attachments in a sandbox... box. When this box is cleared, attachments are scanned in the sandbox only if they match sandbox rules.

  5. Point to Security sandbox rules at the bottom of the Spam, Phishing and Malware section, then click Configure.

  6. In the Add setting box, under Security sandbox rules, enter a name for the rule. This name appears on the settings page.

  7. In the Email messages to affect section, check the boxes next to message types:

    • Inbound—Messages sent to your organization from external domains.

    • Internal - receiving—Messages sent and received within your organization's domains and subdomains. 

      A domain is internal if it is a verified workspace domain, or a subdomain or parent domain of a verified workspace domain.

  8. In the Add expressions that describe the content you want to search for in each message section:

    1. Select whether you want to match any or all expressions. For example, if you select If ANY of the following match the message, any matching condition triggers an attachment scan in Security Sandbox.

    2. In the Expressions box, click Add.

    3. From the list, choose what you want to specify for the expression, then click Save.

      • Simple content match—Match the content you specify. Simple content matching works like the search function in Gmail. For example, if you search for purchase order, any string with the words purchase and order is returned. Learn more about Gmail search operators.

      • Advanced content match—Select the Location of the text within the message and the Match type, and enter the content to search. Unlike simple content match, the string must be an exact match. The tables below have a description of each location within the message, and the match types. Learn more about Options for Advance content matching.

      • Metadata match—Select the attribute to match and the Match type. If needed, enter the Match value. Refer to the table below for a description of metadata attributes and match types. Learn more about Metadata attributes and match types.

      • Predefined content match—Select one of the predefined content detectors. For example, select Credit Card Number or Social Security Number. Optionally, you can set the number of times the detector must appear in a message to trigger the action you define. You can also trigger a scan when the detector in the message meets a confidence threshold. Note: This feature isn't available with all editions. Go to Scan your email traffic using data loss prevention to learn more.

      Options for Advanced content matching

      • Location—The section of the email message where the content appears. 

        Location type Description
        Headers + Body The full headers plus the body. Includes attachments (MIME parts decoded).
        Full headers All header fields. Doesn't include the message body or attachments.
        Body The main text portion of the email message. Includes attachments (MIME parts encoded).
        Subject The subject of the message as present in the email header.
        Sender header

        The sender's email address as reported in the From: header. It can differ from the sender reported in the Envelope sender.

        The sender header consists of the email address, located within the angle brackets, and doesn't include the account owner's name.

        For example, consider:

        From: Jane Doe <[email protected]>

        The sender header is [email protected].

        Note: The left side of @gmail.com and @googlemail.com addresses is converted to the canonical representation. For example, [email protected] is converted to [email protected].

        Recipients header

        The recipient or recipients as reported in the email headers, To:, Cc:, and Bcc:. This can be different from the recipients reported in Any envelope recipient.

        This compares only one recipient at a time. If there are 2 or more recipients, the advanced content rule doesn't match against all recipients in one string. To set up a rule for messages sent to multiple users, use Full headers.

        The recipient header consists of the email address, located within the angle brackets, and does not include the account owner's name.

        For example, consider:

        To: Jane Doe <[email protected]>
        Cc: John Doe <[email protected]>
        Bcc: John Smith <[email protected]>

        The recipient headers are [email protected], [email protected], and [email protected].

        Envelope sender The original sender that was reported during the SMTP communication request. It can be different from the sender reported in the Sender header. It often, but not always, matches the address found in the “Return-path” header.
        Any envelope recipient

        The recipient or recipients that were reported during the SMTP communication request. These can be different from the recipients reported in the Recipient header. This can include individuals added as part of a group expansion.

        This compares only one recipient at a time. If there are 2 or more recipients, the advanced content rule doesn't match against all recipients in one string.

        Raw message The full headers plus the body, including all attachments and other MIME parts of the message. MIME parts aren't decoded.
      • Match type—The parameters used to determine a match.
         
        Match type Description

        Starts with

        Searches the selected location for content that starts with the specified character or string.

        Ends with

        Searches the selected location for content that ends with the specified character or string.

        Contains text

        Searches the selected location for content that has the specified string.

        Not contains text

        Searches the selected location for content that doesn’t havee the specified string.

        Equals

        Searches the selected location for content that exactly matches the specified string.

        Is empty

        Searches the selected location for content that is empty.

        Matches regex

        Searches the selected location for content that matches the specified regular expression.

        Not matches regex

        Searches the selected location for content that doesn't match the specified regular expression.

        Matches any word

        Searches the selected location for content that matches any word in the specified list of words.

        Matches all words

        Searches the selected location for content that matches all words in the specified list of words.

      • Content—The text to be matched.

      Metadata attributes and match types

      Attribute Match type Description

      Message authentication

      • Message is authenticated
      • Message isn't authenticated

      Select this option to include messages that are or aren't authenticated in your compliance expression. This option conforms to the DMARC standard. Messages are authenticated if they pass either SPF or DKIM. If messages don't pass one of these authentication checks, the message is considered unauthenticated. Read more about SPF, DKIM, and DMARC.

      Source IP

      • Is within the following range

      • Is not within the following range

      Select this option to include messages that do or don't fall within the specified IP range in your compliance expression.

      Secure transport (TLS)

      • Connection is TLS encrypted

      • Connection is not TLS encrypted

      Select this option to include received messages that are or aren't TLS-encrypted in your compliance expression.

      Message size
      • Is greater than the following (MB)
      • Is less than the following (MB)

      Select this option to include messages greater or less than the specified size in your compliance expression. Enter the message size in MB in the field.

      The size is the raw size of the entire message, which can be up to 33% larger than the original size of the message and attachments. This is because of standard encoding overhead.

      S/MIME encryption

      • Message is S/MIME encrypted

      • Message is not S/MIME encrypted

      Select this option to include messages that are or aren’t S/MIME encrypted.

      Supported editions for this feature: Enterprise Plus; Education Fundamentals, Education Standard, Teaching and Learning Upgrade, and Education PlusCompare your edition

      S/MIME signed

      • Message is S/MIME signed

        • Message is not S/MIME signed

      Select this option to include messages that are or aren’t S/MIME signed.

      Supported editions for this feature: Enterprise Plus; Education Fundamentals, Education Standard, Teaching and Learning Upgrade, and Education PlusCompare your edition

      Gmail confidential mode
      • Message is in Gmail confidential mode
      • Message is not in Gmail confidential mode
      Select this option to include messages that are or aren't Gmail confidential mode messages.
  9. Verify that Run security sandbox appears as the action when expressions match. Matching conditions always trigger the action to scan attachments in Security Sandbox (Run Security sandbox).
  10. If your settings are complete, click Add Setting or Save, then click Save at the bottom of the Gmail Advanced settings page. Or, go to these settings:
Scan attachments from specific address lists

You can specify address lists as criteria for scanning. Address lists include email addresses, domains, or both.

To determine if a rule applies to an address list, this rule uses the "from" sender for received mail and the recipients for sent mail valuesFor senders, the authentication requirement is also checked. If multiple lists are specified, an address must match at least one of the lists for a rule to apply.

  1. Open the Add or Edit setting box by following the steps in Scan attachments if messages match specified rules
  2. Click Show options
  3. In the Options section, check the Use address lists to bypass or control application of this setting box.

  4. Select an option:

    • Bypass this setting for specific addresses / domains—Skips the rule if the address list matches, regardless of any other criteria specified in the rule.

    • Only apply this setting for specific addresses / domains—The address list match becomes a condition for whether the rule applies. If there are other criteria in the rule (match expressions, account types, or envelope filters), those conditions must also match for the rule to apply.

  5. Next to No lists used yet, click Use existing or create a new one.

  6. In the Available lists box, do one of the following:

    • Select the name of an existing list, then click Use.

    • Enter a name for a new list in the Create new list field, then click Create.

  7. To add email addresses or domains to the list:
    1. Point to the list name, then click Edit.
    2. Add email addresses or domains to the list, click Add.
    3. Enter a full email address or domain name, such as solarmora.com. To add multiple addresses, separate each address with a comma or a space.
    4. Check the Do not require sender authentication box to bypass the rule for approved senders that don't have authentication set up. Use this option with caution as it can potentially lead to spoofing.
    5. Click Save.
  8. If your settings are complete, click Add Setting at the bottom of the box, then click Save at the bottom of the Gmail Advanced settings page. Otherwise, go to Account types to affect.

Scan attachments from specific account types

You can specify messages from certain account types for scanning. By default, the Users account type is selected, but you can specifiy more than one account type. If you’re setting up an outbound setting, the account type must match the sender's type.

  1. Open the Add or Edit setting box by following the steps in Scan attachments if messages match specified rules
  2. Click Show options
  3. In the Options section, select your settings for Account types to affect:
    • Users
    • Unrecognized/Catch-all
  4. If your changes are complete, click Add setting or Save, then click Save at the bottom of the Gmail Advanced settings page. Otherwise, go to Specify an envelope filter.
Scan attachments from specific senders, recipients, and groups

You can specify email envelope information as criteria for scanning. Email envelope information includes sender and recipient email addresses.

  1. Open the Add or Edit setting box by following the steps in Scan attachments if messages match specified rules
  2. Click Show options
  3. In the Options section, select your settings for Envelope filter: Check the Only affect specific envelope senders box, the Only affect specific envelope recipients box, or both.
  4. Select an option:
    • Single email address—Specify a single user by entering one email address. It needs to be the complete email address and include @ and the domain name. The match is case insensitive.

    • Pattern match—Enter a regular expression to specify a set of senders or recipients in your domain. Click Test expression to make sure your syntax is correct. For example, apply this setting to 3 specific users only by entering the list of users with this regular expression syntax:

      ^(?i)(user1@solarmora\.com|user2@solarmora\.com|user3@solarmora\.com)$

      In the expression:

      • ^ matches the start of a new line.
      • (?i) makes the expression case insensitive.
      • $ matches the end of a line.

      Learn about using regular expressions.

    • Group membership—Select one or more groups in the list. For envelope senders, this option only applies to sent email. For envelope recipients, it only applies to received email. If you haven't, you'll need to create the group first.

  5. Click Add setting or Save at the bottom of the box, then click Save at the bottom of the Gmail Advanced settings page. 

    Attachments are scanned according to the specified rules.

Changes can take up to 24 hours but typically happen more quickly. Learn more

Reports and compatibility with other email scans

Get malicious attachment reports

The Spam filter - Malware report shows the number of malicious attachments identified. It also lists any messages that have been identified as malicious. The report does not show the number of attachments scanned. This report is available in the Google Workspace security dashboard

Security Sandbox and other scans

Security Sandbox scans run independently of other compliance and pre-delivery scans. For example, your content compliance scans might search for personal information such as credit card numbers. Attachment compliance scans might block attachments of a specific type or size. Gmail runs compliance and pre-delivery scans separately from Security Sandbox scans. 

Security Sandbox doesn't scan email attachments blocked by compliance rules or pre-delivery scans.

For more information, go to:

Related information

Best practices for faster rules testing


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Main menu
14522378632704820786
true
Search Help Center
true
true
true
true
true
73010
false
false