The Google for Education Community Platform

ddelboccio · ‎09-27-2024

If an incoming email with an infected attachment is caught by the sandbox features, what happens to that message?

I know the assumption is the message is blocked.

But is the message rejected back to the sender?

Does the intended recipient receive a message that an incoming message was blocked?

Are sandbox events logged in the admin console somewhere?

Guess I never really thought about it passed simply enabling the feature.

claycodes · ‎09-27-2024

Attachments are opened in a Virtual Machine. If something is detected it's matched with virus total. The message is then quarantined by rules you configure. If it's a zero day it goes right to Google Security Engineering for analysis.
No message is sent back to the sender since they may be a nefarious actor.

Gmail Logs maintain a record of what was discovered.

ddelboccio · ‎09-27-2024

I do not see any other option for "Security Sandbox" other than enabling it. I do not see any reference to messages being quarantined.

Would the message events appear in the "suspicious attachments" security dashboard card?

ddelboccio · ‎09-27-2024

Now I am seeing conflicting information in this Google document:

https://support.google.com/a/answer/7676854?hl=en&ref_topic=9974692

When Security Sandbox identifies a message with suspicious or malicious attachments, the message is automatically sent to the recipient's spam folder. Google saves information about the attachment to improve security in other Google products.

Enabling the Security Sandbox setting DISABLES the Security Sandbox rules settings.

Does this now mean detected message with infected attachments are sent to SPAM?

The Google for Education Community Platform

Email sandbox feature