Are attachments and links detonated in a sandbox before delivery?
Demonstrate that all inbound email attachments and embedded links are subject to automated sandbox analysis prior to delivery, with malicious artifacts quarantined or stripped based on detonation results.
Description
What this control does
Sandbox detonation analyzes email attachments and links in an isolated, instrumented environment before they reach end-user inboxes, observing their behavior for malicious activity such as shellcode execution, credential harvesting, or callback attempts. This control intercepts inbound messages, extracts suspicious artifacts, executes them in a virtualized or containerized sandbox that simulates the target environment, and blocks delivery if indicators of compromise are detected. It defends against zero-day exploits, polymorphic malware, and sophisticated phishing campaigns that evade signature-based detection.
Control objective
What auditing this proves
Demonstrate that all inbound email attachments and embedded links are subject to automated sandbox analysis prior to delivery, with malicious artifacts quarantined or stripped based on detonation results.
Associated risks
Risks this control addresses
- Zero-day malware embedded in weaponized attachments bypasses signature-based antivirus and executes on user endpoints
- Polymorphic or obfuscated malware variants evade static analysis tools and deliver ransomware payloads
- Phishing links leading to credential-harvesting sites or drive-by download exploits reach user inboxes undetected
- Macro-enabled Office documents exploit unpatched vulnerabilities in common productivity software
- Targeted spear-phishing campaigns leverage novel exploit chains that lack existing threat intelligence signatures
- Malicious PDF or archive files execute embedded scripts or leverage format-parsing vulnerabilities
- Advanced persistent threat actors use multi-stage payloads that only activate under specific environmental conditions
Testing procedure
How an auditor verifies this control
- Obtain and review the email security gateway or sandbox solution configuration documentation, including routing rules, detonation policies, and integration architecture diagrams.
- Extract and examine the sandbox policy settings, noting supported file types, URL rewriting behavior, detonation time limits, and thresholds for malicious verdict classification.
- Review mail flow logs or message trace data for a representative sample period (minimum 30 days) to confirm that messages with attachments or links are routed through the sandbox engine before final delivery.
- Select a random sample of at least 20 emails containing attachments and 20 containing links from production logs, and verify that sandbox analysis records exist for each, including verdict and detonation timestamp.
- Request and review sandbox analysis reports for a known-malicious test sample (coordinated with IT) or historical true-positive detections, confirming that behavioral indicators (process trees, network callbacks, registry modifications) were captured.
- Verify that quarantine or blocking actions are automatically enforced based on sandbox verdicts by reviewing administrative logs or remediation records for flagged messages.
- Conduct a live test by sending a controlled sample (e.g., EICAR test file or safe exploit simulation approved by IT management) through the production email system and confirm it is intercepted, detonated, and appropriately blocked or tagged.
- Interview email security administrators to confirm ongoing tuning practices, false-positive review processes, and escalation procedures for sandbox evasion attempts or detection gaps.