Set up rules to detect harmful attachments

As an administrator, you can set up Gmail to scan all email attachments in Security Sandbox. This setting is off by default.

1. Sign in with an administrator account to the Google Admin console.

   If you aren’t using an administrator account, you can’t access the Admin console.

2. Go to Menu  Apps > Google Workspace > Gmail > Spam, Phishing and Malware.

   Requires having the Gmail Settings administrator privilege.

3. Select the organizational unit you want to configure settings for. If you want to configure settings for everyone, select the top-level unit. Or, select one of the child organizational units.
4. Scroll to Security sandbox in the Spam, Phishing, and Malware section. Security Sandbox rules are at the bottom of this section.
5. To scan all attachments, check the Enable virtual execution of attachments in a sandbox environment... box.

   Note: When this box is checked, all attachments are scanned in the Security Sandbox, even if you set up specific sandbox rules.

6. At the bottom of the page, click Save. 

Changes can take up to 24 hours but typically happen more quickly. Learn more

Add rules to specify which messages are scanned.

1. Sign in with an administrator account to the Google Admin console.

   If you aren’t using an administrator account, you can’t access the Admin console.

2. Go to Menu  Apps > Google Workspace > Gmail > Spam, Phishing and Malware.

   Requires having the Gmail Settings administrator privilege.

3. Select the organizational unit you want to configure settings for. If you want to configure settings for everyone, select the top-level unit. Or, select one of the child organizational units.

4. In the Spam, Phishing and Malware section, under Security Sandbox, clear the Enable virtual execution of attachments in a sandbox... box. When this box is cleared, attachments are scanned in the sandbox only if they match sandbox rules.

5. Point to Security sandbox rules at the bottom of the Spam, Phishing and Malware section, then click Configure.

6. In the Add setting box, under Security sandbox rules, enter a name for the rule. This name appears on the settings page.

7. In the Email messages to affect section, check the boxes next to message types:

   • Inbound—Messages sent to your organization from external domains.

   • Internal - receiving—Messages sent and received within your organization's domains and subdomains. 

     A domain is internal if it is a verified workspace domain, or a subdomain or parent domain of a verified workspace domain.

8. In the Add expressions that describe the content you want to search for in each message section:

   1. Select whether you want to match any or all expressions. For example, if you select If ANY of the following match the message, any matching condition triggers an attachment scan in Security Sandbox.

   2. In the Expressions box, click Add.

   3. From the list, choose what you want to specify for the expression, then click Save.

      • Simple content match—Match the content you specify. Simple content matching works like the search function in Gmail. For example, if you search for purchase order, any string with the words purchase and order is returned. Learn more about Gmail search operators.

      • Advanced content match—Select the Location of the text within the message and the Match type, and enter the content to search. Unlike simple content match, the string must be an exact match. The tables below have a description of each location within the message, and the match types. Learn more about Options for Advance content matching.

      • Metadata match—Select the attribute to match and the Match type. If needed, enter the Match value. Refer to the table below for a description of metadata attributes and match types. Learn more about Metadata attributes and match types.

      • Predefined content match—Select one of the predefined content detectors. For example, select Credit Card Number or Social Security Number. Optionally, you can set the number of times the detector must appear in a message to trigger the action you define. You can also trigger a scan when the detector in the message meets a confidence threshold. Note: This feature isn't available with all editions. Go to Scan your email traffic using data loss prevention to learn more.

      Options for Advanced content matching

      • Location—The section of the email message where the content appears. 

        Location type	Description
        Headers + Body	The full headers plus the body. Includes attachments (MIME parts decoded).
        Full headers	All header fields. Doesn't include the message body or attachments.
        Body	The main text portion of the email message. Includes attachments (MIME parts encoded).
        Subject	The subject of the message as present in the email header.
        Sender header	The sender's email address as reported in the From: header. It can differ from the sender reported in the Envelope sender. The sender header consists of the email address, located within the angle brackets, and doesn't include the account owner's name. For example, consider: From: Jane Doe <jdoe@example.com> The sender header is jdoe@example.com. Note: The left side of @gmail.com and @googlemail.com addresses is converted to the canonical representation. For example, jane.doe@gmail.com is converted to janedoe@gmail.com.
        Recipients header	The recipient or recipients as reported in the email headers, To:, Cc:, and Bcc:. This can be different from the recipients reported in Any envelope recipient. This compares only one recipient at a time. If there are 2 or more recipients, the advanced content rule doesn't match against all recipients in one string. To set up a rule for messages sent to multiple users, use Full headers. The recipient header consists of the email address, located within the angle brackets, and does not include the account owner's name. For example, consider: To: Jane Doe <jdoe@example.com> Cc: John Doe <johndoe@example.com> Bcc: John Smith <jsmith@example.com> The recipient headers are jdoe@example.com, johndoe@example.com, and jsmith@example.com.
        Envelope sender	The original sender that was reported during the SMTP communication request. It can be different from the sender reported in the Sender header. It often, but not always, matches the address found in the “Return-path” header.
        Any envelope recipient	The recipient or recipients that were reported during the SMTP communication request. These can be different from the recipients reported in the Recipient header. This can include individuals added as part of a group expansion. This compares only one recipient at a time. If there are 2 or more recipients, the advanced content rule doesn't match against all recipients in one string.
        Raw message	The full headers plus the body, including all attachments and other MIME parts of the message. MIME parts aren't decoded.

      • Match type—The parameters used to determine a match.
         

        Match type	Description
        Starts with	Searches the selected location for content that starts with the specified character or string.
        Ends with	Searches the selected location for content that ends with the specified character or string.
        Contains text	Searches the selected location for content that has the specified string.
        Not contains text	Searches the selected location for content that doesn’t havee the specified string.
        Equals	Searches the selected location for content that exactly matches the specified string.
        Is empty	Searches the selected location for content that is empty.
        Matches regex	Searches the selected location for content that matches the specified regular expression.
        Not matches regex	Searches the selected location for content that doesn't match the specified regular expression.
        Matches any word	Searches the selected location for content that matches any word in the specified list of words.
        Matches all words	Searches the selected location for content that matches all words in the specified list of words.

      • Content—The text to be matched.

      Metadata attributes and match types

      Attribute	Match type	Description
      Message authentication	Message is authenticated Message isn't authenticated	Select this option to include messages that are or aren't authenticated in your compliance expression. This option conforms to the DMARC standard. Messages are authenticated if they pass either SPF or DKIM. If messages don't pass one of these authentication checks, the message is considered unauthenticated. Read more about SPF, DKIM, and DMARC.
      Source IP	Is within the following range Is not within the following range	Select this option to include messages that do or don't fall within the specified IP range in your compliance expression.
      Secure transport (TLS)	Connection is TLS encrypted Connection is not TLS encrypted	Select this option to include received messages that are or aren't TLS-encrypted in your compliance expression.
      Message size	Is greater than the following (MB) Is less than the following (MB)	Select this option to include messages greater or less than the specified size in your compliance expression. Enter the message size in MB in the field. The size is the raw size of the entire message, which can be up to 33% larger than the original size of the message and attachments. This is because of standard encoding overhead.
      S/MIME encryption	Message is S/MIME encrypted Message is not S/MIME encrypted	Select this option to include messages that are or aren’t S/MIME encrypted. Supported editions for this feature: Enterprise Plus; Education Fundamentals, Education Standard, Teaching and Learning Upgrade, and Education Plus. Compare your edition
      S/MIME signed	Message is S/MIME signed Message is not S/MIME signed	Select this option to include messages that are or aren’t S/MIME signed. Supported editions for this feature: Enterprise Plus; Education Fundamentals, Education Standard, Teaching and Learning Upgrade, and Education Plus. Compare your edition
      Gmail confidential mode	Message is in Gmail confidential mode Message is not in Gmail confidential mode	Select this option to include messages that are or aren't Gmail confidential mode messages.

9. Verify that Run security sandbox appears as the action when expressions match. Matching conditions always trigger the action to scan attachments in Security Sandbox (Run Security sandbox).
10. If your settings are complete, click Add Setting or Save, then click Save at the bottom of the Gmail Advanced settings page. Or, go to these settings:
    • Scan attachments if messages come from specific address lists
    • Scan attachments from specific account types
    • Scan attachments from senders, recipients, and groups (envelope filter)

You can specify address lists as criteria for scanning. Address lists include email addresses, domains, or both.

To determine if a rule applies to an address list, this rule uses the "from" sender for received mail and the recipients for sent mail values. For senders, the authentication requirement is also checked. If multiple lists are specified, an address must match at least one of the lists for a rule to apply.

1. Open the Add or Edit setting box by following the steps in Scan attachments if messages match specified rules. 
2. Click Show options. 

3. In the Options section, check the Use address lists to bypass or control application of this setting box.

4. Select an option:

   • Bypass this setting for specific addresses / domains—Skips the rule if the address list matches, regardless of any other criteria specified in the rule.

   • Only apply this setting for specific addresses / domains—The address list match becomes a condition for whether the rule applies. If there are other criteria in the rule (match expressions, account types, or envelope filters), those conditions must also match for the rule to apply.

5. Next to No lists used yet, click Use existing or create a new one.

6. In the Available lists box, do one of the following:

   • Select the name of an existing list, then click Use.

   • Enter a name for a new list in the Create new list field, then click Create.

7. To add email addresses or domains to the list:
   1. Point to the list name, then click Edit.
   2. Add email addresses or domains to the list, click Add.
   3. Enter a full email address or domain name, such as solarmora.com. To add multiple addresses, separate each address with a comma or a space.
   4. Check the Do not require sender authentication box to bypass the rule for approved senders that don't have authentication set up. Use this option with caution as it can potentially lead to spoofing.
   5. Click Save.

8. If your settings are complete, click Add Setting at the bottom of the box, then click Save at the bottom of the Gmail Advanced settings page. Otherwise, go to Account types to affect.

You can specify messages from certain account types for scanning. By default, the Users account type is selected, but you can specifiy more than one account type. If you’re setting up an outbound setting, the account type must match the sender's type.

1. Open the Add or Edit setting box by following the steps in Scan attachments if messages match specified rules. 
2. Click Show options. 
3. In the Options section, select your settings for Account types to affect:
   • Users
   • Unrecognized/Catch-all
4. If your changes are complete, click Add setting or Save, then click Save at the bottom of the Gmail Advanced settings page. Otherwise, go to Specify an envelope filter.

You can specify email envelope information as criteria for scanning. Email envelope information includes sender and recipient email addresses.

1. Open the Add or Edit setting box by following the steps in Scan attachments if messages match specified rules. 
2. Click Show options. 
3. In the Options section, select your settings for Envelope filter: Check the Only affect specific envelope senders box, the Only affect specific envelope recipients box, or both.
4. Select an option:

   • Single email address—Specify a single user by entering one email address. It needs to be the complete email address and include @ and the domain name. The match is case insensitive.

   • Pattern match—Enter a regular expression to specify a set of senders or recipients in your domain. Click Test expression to make sure your syntax is correct. For example, apply this setting to 3 specific users only by entering the list of users with this regular expression syntax:
     
     ^(?i)(user1@solarmora\.com|user2@solarmora\.com|user3@solarmora\.com)$
     
     In the expression:

     • ^ matches the start of a new line.
     • (?i) makes the expression case insensitive.
     • $ matches the end of a line.

     Learn about using regular expressions.

   • Group membership—Select one or more groups in the list. For envelope senders, this option only applies to sent email. For envelope recipients, it only applies to received email. If you haven't, you'll need to create the group first.

5. Click Add setting or Save at the bottom of the box, then click Save at the bottom of the Gmail Advanced settings page. 
   
   Attachments are scanned according to the specified rules.

Changes can take up to 24 hours but typically happen more quickly. Learn more

The Spam filter - Malware report shows the number of malicious attachments identified. It also lists any messages that have been identified as malicious. The report does not show the number of attachments scanned. This report is available in the Google Workspace security dashboard.