Set up rules to detect harmful attachments

Security Sandbox

This feature is only available with G Suite Enterprise and G Suite Enterprise for Education.

Email attachments can contain malicious software that might be missed by traditional antivirus programs. To identify these threats, Gmail can scan or run attachments in a virtual environment called Security Sandbox. Attachments identified as threats can be placed in users' Spam folders or quarantined.

As an administrator, you can set up Gmail to scan all supported attachment types in Security Sandbox. Or, you can specify rules for attachment scanning. You can also set up content compliance rules to manage malicious attachments.

File types that are scanned in Security Sandbox include Microsoft Windows executable files, Microsoft Office files, and PDF files.

About Security sandbox rules and other scans

You can create rules that specify which attachments are scanned in Security Sandbox. For example, you might create rules that scan attachments only if the email messages:

  • Contain specific content, for example the word invoice
  • Come from specified users
  • Are sent from outside a specified domain
  • Have envelope addresses that match specific patterns

How Security Sandbox scans work with other scans

Security Sandbox scans run independently of other compliance and pre-delivery scans. For example, your content compliance scans might look for personal information such as credit card numbers. Or attachment compliance scans might block attachments of a specific type or size. Gmail runs those compliance and pre-delivery scans regardless of any Security Sandbox scans. 

Note: Email attachments that are blocked by compliance rules and pre-delivery scans aren't scanned by Security Sandbox.  

For more information, see:

Message delay

Scanning attachments in Security Sandbox might delay the delivery of some messages by up to 3 minutes. This is the maximum time it takes to scan an attachment and determine whether it's harmful. Some scans might be completely more quickly.
Find Security Sandbox settings
  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Appsand thenG Suiteand thenGmailand thenAdvanced settings.

    Tip: To see Advanced settings, scroll to the bottom of the Gmail page.

  3. On the General settings tab, select an organization or suborganization.
  4. Scroll to Security Sandbox in the Spam, Phishing and Malware section. Security Sandbox rules appear at the bottom of this section.
Scan all attachments in Security Sandbox

As an administrator, you can set up Gmail to scan all email attachments, including those sent from inside your domain and from external domains. 

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Appsand thenG Suiteand thenGmailand thenAdvanced settings.

    Tip: To see Advanced settings, scroll to the bottom of the Gmail page.

  3. On the General settings tab, select your top-level organization or an organizational unit (OU):
    • Sandbox settings at the top-level organization apply to all OUs.
    • Sandbox settings at the OU level take precedence over top-level organization settings.
  4. Scroll to Security sandbox in the Spam, Phishing, and Malware section. Security Sandbox rules appear at the bottom of this section.
  5. To scan all attachments, check the Enable virtual execution of attachments in a sandbox environment... box.

    Note: When this box is checked, all attachments are scanned in the Security Sandbox, regardless of any sandbox rules specified.
     
  6. At the bottom of the page, click Save

    Note:  It can take up to an hour for changes to take effect.
Scan attachments only if messages match specific rules

The rules you specify are used to identify the email messages whose attachments will be scanned.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Appsand thenG Suiteand thenGmailand thenAdvanced settings.

    Tip: To see Advanced settings, scroll to the bottom of the Gmail page.

  3. On the General settings tab, select your top-level organization. Security Sandbox settings are available at the top-level organization only, and they apply to all sub-organizations.
  4. In the Spam, Phishing and Malware section, under Security Sandbox, clear the Enable virtual execution of attachments in a sandbox... box. When this box is cleared, attachments are scanned in the sandbox only if they match sandbox rules.

  5. Point to Security sandbox rules at the bottom of the Spam, Phishing and Malware section, then click Configure.

  6. In the Add setting box, under Security sandbox rules, enter a name for the rule. This name appears on the settings page.

  7. In the Email messages to affect section, check the boxes next to message types:

    • Inbound—Messages sent to your organization from external domains.

    • Internal - receiving—Messages sent and received within your organization's domains and subdomains. 

  8. In the Add expressions that describe the content you want to search for in each message section:

    1. Select whether you want to match any or all expressions. For example, if you select If ANY of the following match the message, any matching condition triggers an attachment scan in Security Sandbox.

    2. In the Expressions box, click Add.

    3. From the list, choose what you want to specify for the expression, then click Save.

      • Simple content match—Match the content you specify. Simple content matching works like the search function in Gmail. For example, if you search for purchase order, any string with the words purchase and order is returned. See Gmail search operators.

      • Advanced content match—Select the Location of the text within the message and the Match type, and enter the content to search. Unlike simple content match, the string must be an exact match. See the tables below for a description of each location within the message and the match types. See Options for Advance content matching.

      • Metadata match—Select the attribute to match and the Match type. If needed, enter the Match value. See the table below for a description of metadata attributes and match types. See Metadata attributes and match types.

      • Predefined content match—Select one of the predefined content detectors, such as Credit Card Number or Social Security Number. Optionally, you can set the number of times the detector must appear in a message to trigger the action you define. You can also trigger a scan if the detector in the message meets a confidence threshold. For details, see Scan your email traffic using data loss preventionThis feature is available with G Suite Business and Enterprise editions. Compare editions

      Options for Advanced content matching

      • Location—The section of the email message where the content appears. 

        Location type Description
        Headers + Body The full headers plus the body. Includes attachments (MIME parts decoded).
        Full headers All header fields. Doesn't include the message body or attachments.
        Body The main text portion of the email message. Includes attachments (MIME parts encoded).
        Subject The subject of the message as present in the email header.
        Sender header

        The sender's email address as reported in the From: header. It can differ from the sender reported in the Envelope sender.

        The sender header consists of the email address, located within the angle brackets, and doesn't include the account name.

        For example, consider:

        From: Jane Doe <jdoe@example.com>

        The sender header is jdoe@example.com.

        Note: The left side of @gmail.com and @googlemail.com addresses is converted to the canonical representation. For example, jane.doe@gmail.com is converted to janedoe@gmail.com.

        Recipients header

        The recipient or recipients as reported in the email headers, To:, Cc:, and Bcc:. This can be different from the recipients reported in Any envelope recipient.

        This compares only one recipient at a time. If there are 2 or more recipients, the advanced content rule doesn't match against all of the recipients in one string. To set up a rule for messages sent to multiple users, use Full headers.

        The recipient header consists of the email address, located within the angle brackets, and does not include the account name.

        For example, consider:

        To: Jane Doe <jdoe@example.com>
        Cc: John Doe <johndoe@example.com>
        Bcc: John Smith <jsmith@example.com>

        The recipient headers are jdoe@example.com, johndoe@example.com, and jsmith@example.com.

        Envelope sender The original sender that was reported during the SMTP communication request. It can be different from the sender reported in the Sender header. It often, but not always, matches the address found in the “Return-path” header.
        Any envelope recipient

        The recipient or recipients that were reported during the SMTP communication request. These can be different from the recipients reported in the Recipient header. This can include individuals added as part of a group expansion.

        This compares only one recipient at a time. If there are 2 or more recipients, the advanced content rule doesn't match against all of the recipients in one string.

        Raw message The full headers plus the body, including all attachments and other MIME parts of the message. MIME parts aren't decoded. This is equivalent to RFC-2822 message bytes.
      • Match type—The parameters used to determine a match.
         
        Match type Description

        Starts with

        Searches the selected location for content that starts with the specified character or string.

        Ends with

        Searches the selected location for content that ends with the specified character or string.

        Contains text

        Searches the selected location for content that contains the specified string.

        Not contains text

        Searches the selected location for content that doesn’t contain the specified string.

        Equals

        Searches the selected location for content that exactly matches the specified string.

        Is empty

        Searches the selected location for content that is empty.

        Matches regex

        Searches the selected location for content that matches the specified regular expression. See About regex matching, below.

        Not matches regex

        Searches the selected location for content that doesn't match the specified regular expression. See About regex matching, below.

        Matches any word

        Searches the selected location for content that matches any word in the specified list of words.

        Matches all words

        Searches the selected location for content that matches all words in the specified list of words.

      • Content—The text to be matched.

      Metadata attributes and match types

      Attribute Match type Description

      Message authentication

      • Message is authenticated
      • Message isn't authenticated

      Select this option to include messages that are or aren't authenticated in your compliance expression.

      Conforms to the DMARC standard. Message is authenticated if 1) SPF passes and the envelope sender domain aligns with the header from domain, or 2) if the DKIM check passes for the header from domain. Otherwise, the message is considered unauthenticated.

      Source IP

      • Is within the following range

      • Is not within the following range

      Select this option to include messages that do or don't fall within the specified IP range in your compliance expression. Enter the range in the field.

      Secure transport (TLS)

      • Connection is TLS encrypted

      • Connection is not TLS encrypted

      Select this option to include received messages that are or aren't TLS-encrypted in your compliance expression.

      Message size
      • Is greater than the following (MB)
      • Is less than the following (MB)

      Select this option to include messages greater or less than the specified size in your compliance expression. Enter the message size in MB in the field.

      Note: This is the raw size of the entire message, which may be up to 33% larger than the native size of the message and attachments due to normal encoding overhead.

      S/MIME encryption

      • Message is S/MIME encrypted

      • Message is not S/MIME encrypted

      Select this option to include messages that are or aren’t S/MIME encrypted.

      This feature is only available with G Suite Enterprise and G Suite Enterprise for Education.

      S/MIME signed

      • Message is S/MIME signed

        • Message is not S/MIME signed

      Select this option to include messages that are or aren’t S/MIME signed.

      This feature is only available with G Suite Enterprise and G Suite Enterprise for Education.

      Gmail confidential mode
      • Message is in Gmail confidential mode
      • Message is not in Gmail confidential mode
      Select this option to include messages that are or aren't Gmail confidential mode messages.
  9. Verify that Run security sandbox appears as the action to run if expressions match. Matching conditions always trigger the action to scan attachments in Security Sandbox (Run Security sandbox).
  10. If your settings are complete, click Add Setting or Save at the bottom of the box, then click Save at the bottom of the Gmail Advanced settings page. Otherwise, see these additional settings:

Quarantine malicious attachments

Malware detected by Security Sandbox is put in the spam folder by default. You can quarantine malware attachments detected by Security Sandbox instead.  Create a content compliance rule using the spam metadata attribute.

Scan attachments if messages come from specific address lists

You can specify address lists as criteria for whether messages match Security Sandbox rules. These lists can contain email addresses, domains, or both.

To determine if a rule applies to an address list, Gmail considers the "from" sender for received mail and the recipients for sent mail. For senders, the authentication requirement is also checked. If multiple lists are specified, an address must match at least one of the lists for a rule to apply.

To specify address lists:

  1. In the Add or Edit setting box, click Show options. To get to this box, see Scan attachments if messages match specified rules

  2. In the Options section, check the Use address lists to bypass or control application of this setting box.

  3. Select an option:

    • Bypass this setting for specific addresses / domains—Skips the rule if the address list matches, regardless of any other criteria specified in the rule.

    • Only apply this setting for specific addresses / domains—The address list match becomes a condition for whether the rule applies. If there are other criteria in the rule, such as match expressions, account types, or envelope filters, those conditions must also match for the rule to apply.

  4. Next to No lists used yet, click Use existing or create a new one.

  5. In the Available lists box, do one of the following:

    • Select the name of an existing list, then click Use.

    • Enter a name for a new list in the Create new list field, then click Create.

  6. To add email addresses or domains to the list:
    1. Hover over the list name, then click Edit.
    2. Add email addresses or domains to the list, click Add.
    3. Enter a full email address or domain name, such as solarmora.com. To add multiple addresses separate each address with a comma or a space.
    4. Check the Do not require sender authentication box to bypass the rule for approved senders that don't have authentication, such as SPF or DKIM, enabled senders. Use this option with caution as it can potentially lead to spoofing.
    5. Click Save.
  7. If your settings are complete, click Add Setting at the bottom of the box, then click Save at the bottom of the Gmail Advanced settings page. Otherwise, see add Account types to affect.

Scan attachments from specific account types

You can specify the account types as criteria for whether messages match Security Sandbox rules.

By default, Users is selected, but you can select more than one type. If you’re configuring an outbound setting, the account type must match the sender's type.

  1. In the Add or Edit setting box, click Show options. To get to this box, see Scan attachments if messages match specified rules
  2. In the Options section, select your settings for Account types to affect:
    • Users
    • Unrecognized/Catch-all
  3. If your changes are compete, click Add setting or Save at the bottom of the box, then click Save at the bottom of the Gmail Advanced settings page. Otherwise, see Specify an envelope filter.
Scan attachments from senders, recipients, and groups (envelope filter)

You can specify email envelope information, such as the sender or recipient email address, as criteria in Security Sandbox rules. 

  1. In the Add or Edit setting box, click Show options. To get to this box, see Scan attachments if messages match specified rules
  2. In the Options section, select your settings for Envelope filter: Check the Only affect specific envelope senders box, the Only affect specific envelope recipients box, or both.
  3. In the drop-down list, select an option:
    • Single email address—Specify a single user by entering one email address. It needs to be the complete email address and include @ and the domain name. The match is case insensitive.

    • Pattern match—Enter a regular expression to specify a set of senders or recipients in your domain. Click Test expression to make sure your syntax is correct. For example, you can ensure this setting applies only to 3 specific users by entering the list of users using the following regular expression syntax:

      ^(?i)(user1@solarmora\.com|user2@solarmora\.com|user3@solarmora\.com)$

      In the expression:

      • ^ matches the start of a new line.
      • (?i) makes the expression case insensitive.
      • $ matches the end of a line.

      Learn about using regular expressions.

    • Group membership—Select one or more groups in the list. For envelope senders, this option only applies to sent email. For envelope recipients, it only applies to received email. If you haven't, you'll need to create the group first.

  4. Click Add setting or Save at the bottom of the box, then click Save at the bottom of the Gmail Advanced settings page. 

    Attachments are scanned according to the specified rules. It can take up to an hour for changes to propagate to user accounts.

View reports and changes to settings

Reports show the number of attachments scanned and the number of malicious attachments identified. Reports are available in the G Suite security dashboard

You can view changes to Security Sandbox settings in the Admin console audit log

Was this helpful?
How can we improve it?