Increase email security with the security sandbox for Gmail beta

This announcement was made at Google Cloud Next ‘19 in San Francisco. Check out Next OnAir to tune into the livestream or watch session recordings following the event.

What’s changing 

Security sandbox for Gmail (beta) detects the presence of previously unknown malware in attachments by virtually "executing" them in a private, secure sandbox environment, and analyzing the side effects on the operating system to determine malicious behavior.

Email attachments are detonated within a sandbox in the exact same way as they would if an actual user had clicked on it. This is done in a matter of minutes prior to the delivery of the email, and provides users with an extra layer of security. Security sandbox has been developed with a focus to provide coverage against malware propagated through malicious embedded scripts and zero day threats. The security sandbox for Gmail beta will provide:

  • Granular admin controls for rules to trigger pre-delivery deep scanning and quarantine behavior for potentially malicious emails 
  • Reporting through the G Suite security center 

Who’s impacted 

Settings impact admins only. If turned on, users may notice a delay of a few minutes in the delivery of affected mail due to scanning time.

Why you’d use it 

Security sandbox provides an additional level of anti-malware protection over and above conventional detection. By virtually opening an attachment in a secure environment that can analyze the effects on the target operating system, it’s better able to detect ransomware, sophisticated malware propagated through embedded scripts (like files containing macros or .js files), and zero-day threats. 

How to get started 

  • Admins: Find and turn on the beta security sandbox feature at Admin console > Menu > Apps > G Suite > Gmail > Advanced settings. Use our Help Center to find more information on how to detect harmful attachments
  • End users: No action needed 

Additional details 

Granular admin controls 
If desired, admins will be able to set up custom rules to control which messages are tested in the security sandbox. If custom rules are not applied, all messages with attachments sent to the OU will be checked in the sandbox. Rules can be customized for each organizational unit (OU). Admins can also decide what to do with messages that have malware. Malware detected by Security Sandbox is put in the spam folder by default. You can quarantine malware attachments detected by Security Sandbox instead. Create a content compliance rule using the spam metadata attribute.


Rollout details 

G Suite editions 

  • Available to G Suite Enterprise and G Suite Enterprise for Education 
  • Not available to G Suite Basic, G Suite Business, G Suite for Education, and G Suite for Nonprofits 

On/off by default? 
This feature will be OFF by default and can be customized at an OU level.

Stay up to date with G Suite launches