Set up rules to detect harmful attachments

Security Sandbox

Supported editions for this feature: Enterprise Plus; Education Standard and Education Plus. Compare your edition

Email attachments can include malicious software that might be missed by traditional antivirus programs. To identify these threats, Gmail can scan or run attachments in a virtual environment called Security Sandbox. Attachments identified as threats are sent to the recipient's Spam folder.

As an administrator, you have several options for managing attachments:

Set up Gmail to scan all supported attachment types in Security Sandbox.
Set up rules to specify which attachments are scanned in Security Sandbox.
Set up content compliance rules to manage malicious attachments.

File types scanned in Security Sandbox include Microsoft executables, Microsoft Office, and PDF. Security Sandbox supports files directly attached to emails or contained within archives (for example: zip, rar).

About Security Sandbox rules and other scans

You can create rules that specify which attachments are scanned in Security Sandbox. For example, you might create rules like these, to scan attachments that:

Include specific content, for example the word invoice
Come from specified users
Are sent from outside a specified domain
Have envelope addresses that match specific patterns

Security Sandbox can scan attachments from both inside your domain and from external domains.

How Security Sandbox scans work with other scans

Security Sandbox scans run independently of other compliance and pre-delivery scans. For example, your content compliance scans might search for personal information such as credit card numbers. Attachment compliance scans might block attachments of a specific type or size. Gmail runs compliance and pre-delivery scans separately from Security Sandbox scans.

Note: Security Sandbox doesn't scan email attachments blocked by compliance rules or pre-delivery scans.

For more information, go to:

Messages might be delayed

Security Sandbox scans can delay the message delivery by up to 3 minutes. Some scans might be completed in less time.

Find Security Sandbox settings

Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
In the Admin console, go to Menu AppsGoogle WorkspaceGmailSpam, Phishing and Malware.
Select the organizational unit you want to configure settings for. If you want to configure settings for everyone, select the top-level unit. Or, select one of the child organizational units.
Scroll to Security Sandbox in the Spam, Phishing and Malware section. Security Sandbox rules are at the bottom of this section.

Scan all attachments in Security Sandbox

As an administrator, you can set up Gmail to scan all email attachments.

Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
In the Admin console, go to Menu AppsGoogle WorkspaceGmailSpam, Phishing and Malware.
Select the organizational unit you want to configure settings for. If you want to configure settings for everyone, select the top-level unit. Or, select one of the child organizational units.
Scroll to Security sandbox in the Spam, Phishing, and Malware section. Security Sandbox rules are at the bottom of this section.
To scan all attachments, check the Enable virtual execution of attachments in a sandbox environment... box.
Note: When this box is checked, all attachments are scanned in the Security Sandbox, even if you set up specific sandbox rules.
At the bottom of the page, click Save.

Changes can take up to 24 hours but typically happen more quickly. Learn more

Scan attachments only if messages match specific rules

The rules you specify are used to identify the email messages whose attachments will be scanned.

Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
In the Admin console, go to Menu AppsGoogle WorkspaceGmailSpam, Phishing and Malware.
Select the organizational unit you want to configure settings for. If you want to configure settings for everyone, select the top-level unit. Or, select one of the child organizational units.
In the Spam, Phishing and Malware section, under Security Sandbox, clear the Enable virtual execution of attachments in a sandbox... box. When this box is cleared, attachments are scanned in the sandbox only if they match sandbox rules.
Point to Security sandbox rules at the bottom of the Spam, Phishing and Malware section, then click Configure.
In the Add setting box, under Security sandbox rules, enter a name for the rule. This name appears on the settings page.
In the Email messages to affect section, check the boxes next to message types:
- Inbound—Messages sent to your organization from external domains.
- Internal - receiving—Messages sent and received within your organization's domains and subdomains.

In the Add expressions that describe the content you want to search for in each message section:

Select whether you want to match any or all expressions. For example, if you select If ANY of the following match the message, any matching condition triggers an attachment scan in Security Sandbox.
In the Expressions box, click Add.

From the list, choose what you want to specify for the expression, then click Save.

Simple content match—Match the content you specify. Simple content matching works like the search function in Gmail. For example, if you search for purchase order, any string with the words purchase and order is returned. Learn more about Gmail search operators.
Advanced content match—Select the Location of the text within the message and the Match type, and enter the content to search. Unlike simple content match, the string must be an exact match. The tables below have a description of each location within the message, and the match types. Learn more about Options for Advance content matching.
Metadata match—Select the attribute to match and the Match type. If needed, enter the Match value. Refer to the table below for a description of metadata attributes and match types. Learn more about Metadata attributes and match types.
Predefined content match—Select one of the predefined content detectors. For example, select Credit Card Number or Social Security Number. Optionally, you can set the number of times the detector must appear in a message to trigger the action you define. You can also trigger a scan when the detector in the message meets a confidence threshold. Note: This feature isn't available with all editions. Go to Scan your email traffic using data loss prevention to learn more.

Options for Advanced content matching

Location—The section of the email message where the content appears.

Location type	Description
Headers + Body	The full headers plus the body. Includes attachments (MIME parts decoded).
Full headers	All header fields. Doesn't include the message body or attachments.
Body	The main text portion of the email message. Includes attachments (MIME parts encoded).
Subject	The subject of the message as present in the email header.
Sender header	The sender's email address as reported in the From: header. It can differ from the sender reported in the Envelope sender. The sender header consists of the email address, located within the angle brackets, and doesn't include the account owner's name. For example, consider: From: Jane Doe <jdoe@example.com> The sender header is jdoe@example.com. Note: The left side of @gmail.com and @googlemail.com addresses is converted to the canonical representation. For example, jane.doe@gmail.com is converted to janedoe@gmail.com.
Recipients header	The recipient or recipients as reported in the email headers, To:, Cc:, and Bcc:. This can be different from the recipients reported in Any envelope recipient. This compares only one recipient at a time. If there are 2 or more recipients, the advanced content rule doesn't match against all recipients in one string. To set up a rule for messages sent to multiple users, use Full headers. The recipient header consists of the email address, located within the angle brackets, and does not include the account owner's name. For example, consider: To: Jane Doe <jdoe@example.com> Cc: John Doe <johndoe@example.com> Bcc: John Smith <jsmith@example.com> The recipient headers are jdoe@example.com, johndoe@example.com, and jsmith@example.com.
Envelope sender	The original sender that was reported during the SMTP communication request. It can be different from the sender reported in the Sender header. It often, but not always, matches the address found in the “Return-path” header.
Any envelope recipient	The recipient or recipients that were reported during the SMTP communication request. These can be different from the recipients reported in the Recipient header. This can include individuals added as part of a group expansion. This compares only one recipient at a time. If there are 2 or more recipients, the advanced content rule doesn't match against all recipients in one string.
Raw message	The full headers plus the body, including all attachments and other MIME parts of the message. MIME parts aren't decoded.

Match type—The parameters used to determine a match.

Match type	Description
Starts with	Searches the selected location for content that starts with the specified character or string.
Ends with	Searches the selected location for content that ends with the specified character or string.
Contains text	Searches the selected location for content that has the specified string.
Not contains text	Searches the selected location for content that doesn’t havee the specified string.
Equals	Searches the selected location for content that exactly matches the specified string.
Is empty	Searches the selected location for content that is empty.
Matches regex	Searches the selected location for content that matches the specified regular expression.
Not matches regex	Searches the selected location for content that doesn't match the specified regular expression.
Matches any word	Searches the selected location for content that matches any word in the specified list of words.
Matches all words	Searches the selected location for content that matches all words in the specified list of words.

Content—The text to be matched.

Metadata attributes and match types

Attribute	Match type	Description
Message authentication	Message is authenticated Message isn't authenticated	Select this option to include messages that are or aren't authenticated in your compliance expression. This option conforms to the DMARC standard. Messages are authenticated if they pass either SPF or DKIM. If messages don't pass one of these authentication checks, the message is considered unauthenticated. Read more about SPF, DKIM, and DMARC.
Source IP	Is within the following range Is not within the following range	Select this option to include messages that do or don't fall within the specified IP range in your compliance expression.
Secure transport (TLS)	Connection is TLS encrypted Connection is not TLS encrypted	Select this option to include received messages that are or aren't TLS-encrypted in your compliance expression.
Message size	Is greater than the following (MB) Is less than the following (MB)	Select this option to include messages greater or less than the specified size in your compliance expression. Enter the message size in MB in the field. The size is the raw size of the entire message, which can be up to 33% larger than the original size of the message and attachments. This is because of standard encoding overhead.
S/MIME encryption	Message is S/MIME encrypted Message is not S/MIME encrypted	Select this option to include messages that are or aren’t S/MIME encrypted. Supported editions for this feature: Enterprise Plus; Education Fundamentals, Education Standard, Teaching and Learning Upgrade, and Education Plus. Compare your edition
S/MIME signed	Message is S/MIME signed Message is not S/MIME signed	Select this option to include messages that are or aren’t S/MIME signed. Supported editions for this feature: Enterprise Plus; Education Fundamentals, Education Standard, Teaching and Learning Upgrade, and Education Plus. Compare your edition
Gmail confidential mode	Message is in Gmail confidential mode Message is not in Gmail confidential mode	Select this option to include messages that are or aren't Gmail confidential mode messages.

Verify that Run security sandbox appears as the action when expressions match. Matching conditions always trigger the action to scan attachments in Security Sandbox (Run Security sandbox).
If your settings are complete, click Add Setting or Save, then click Save at the bottom of the Gmail Advanced settings page. Or, go to these settings:

Quarantine malicious attachments

Malware detected by Security Sandbox is put in the spam folder by default. You can quarantine harmful software attachments detected by Security Sandbox instead. Create a content compliance rule using the spam metadata attribute.

Scan attachments if messages come from specific address lists

You can specify address lists as criteria for whether messages match Security Sandbox rules. These lists can include email addresses, domains, or both.

To determine if a rule applies to an address list, Gmail considers the "from" sender for received mail and the recipients for sent mail. For senders, the authentication requirement is also checked. If multiple lists are specified, an address must match at least one of the lists for a rule to apply.

To specify address lists:

In the Add or Edit setting box, click Show options. To get to this box, go to Scan attachments if messages match specified rules.
In the Options section, check the Use address lists to bypass or control application of this setting box.
Select an option:
- Bypass this setting for specific addresses / domains—Skips the rule if the address list matches, regardless of any other criteria specified in the rule.
- Only apply this setting for specific addresses / domains—The address list match becomes a condition for whether the rule applies. If there are other criteria in the rule (match expressions, account types, or envelope filters), those conditions must also match for the rule to apply.
Next to No lists used yet, click Use existing or create a new one.
In the Available lists box, do one of the following:
- Select the name of an existing list, then click Use.
- Enter a name for a new list in the Create new list field, then click Create.
To add email addresses or domains to the list:
1. Point to the list name, then click Edit.
2. Add email addresses or domains to the list, click Add.
3. Enter a full email address or domain name, such as solarmora.com. To add multiple addresses, separate each address with a comma or a space.
4. Check the Do not require sender authentication box to bypass the rule for approved senders that don't have authentication set up. Use this option with caution as it can potentially lead to spoofing.
5. Click Save.
If your settings are complete, click Add Setting at the bottom of the box, then click Save at the bottom of the Gmail Advanced settings page. Otherwise, go to Account types to affect.

Scan attachments from specific account types

You can specify the account types as criteria for whether messages match Security Sandbox rules.

By default, Users is selected, but you can select more than one type. If you’re setting up an outbound setting, the account type must match the sender's type.

In the Add or Edit setting box, click Show options. To get to this box, go to Scan attachments if messages match specified rules.
In the Options section, select your settings for Account types to affect:
- Users
- Unrecognized/Catch-all
If your changes are complete, click Add setting or Save, then click Save at the bottom of the Gmail Advanced settings page. Otherwise, go to Specify an envelope filter.

Scan attachments from senders, recipients, and groups (envelope filter)

You can specify email envelope information as criteria in Security Sandbox rules. Examples of email envelope information are sender and recipient email addresses.

In the Add or Edit setting box, click Show options. To get to this box, go to Scan attachments if messages match specified rules.
In the Options section, select your settings for Envelope filter: Check the Only affect specific envelope senders box, the Only affect specific envelope recipients box, or both.
Select an option:
- Single email address—Specify a single user by entering one email address. It needs to be the complete email address and include @ and the domain name. The match is case insensitive.
- Pattern match—Enter a regular expression to specify a set of senders or recipients in your domain. Click Test expression to make sure your syntax is correct. For example, apply this setting to 3 specific users only by entering the list of users with this regular expression syntax:
  
  ^(?i)(user1@solarmora\.com|user2@solarmora\.com|user3@solarmora\.com)$
  
  In the expression:
  - ^ matches the start of a new line.
  - (?i) makes the expression case insensitive.
  - $ matches the end of a line.
  Learn about using regular expressions.
- Group membership—Select one or more groups in the list. For envelope senders, this option only applies to sent email. For envelope recipients, it only applies to received email. If you haven't, you'll need to create the group first.
Click Add setting or Save at the bottom of the box, then click Save at the bottom of the Gmail Advanced settings page.

Attachments are scanned according to the specified rules.

Changes can take up to 24 hours but typically happen more quickly. Learn more

View reports and changes to settings

The Spam filter - Malware report shows the number of malicious attachments identified. It also lists any messages that have been identified as malicious. The report does not show the number of attachments scanned. This report is available in the Google Workspace security dashboard.

You can view changes to Security Sandbox settings in the Admin console audit log.

Related information

Best practices for faster rules testing

_{Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.}

Was this helpful?

How can we improve it?