What is sandbox detonation in email security?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Imagine an email lands at your company's security gateway carrying a PDF attachment. Nothing looks obviously wrong. But the gateway doesn't just wave it through. Instead, it sends that file to a sandbox first, a sealed-off virtual machine designed to open the file and watch what happens next. That process is called sandbox detonation.
The idea is simple: instead of guessing whether a file is dangerous based on how it looks, you actually run it and observe what it does. Signature-based scanners can only catch threats they've seen before. Sandboxes catch behavior, which means they can flag brand-new attacks too.
Here's how it works step by step.
- The email security gateway intercepts the message and quarantines the attachment before it reaches the inbox.
- The attachment is loaded into an isolated virtual machine that mirrors a real operating system (Windows, macOS, whatever fits the target environment).
- The sandbox "detonates" the file, meaning it opens it exactly as a real user would.
- While the file runs, the sandbox watches for red flags: outbound network connections to suspicious IPs, files being written to disk, new processes spawning, registry changes, attempts to disable antivirus software.
- If the behavior looks malicious, the message is blocked or flagged for review. If it passes, it continues to the inbox (sometimes with a delay of 30 seconds to a few minutes).
That delay is worth knowing about if you're a sender. Legitimate emails with attachments can hit this queue, and recipients sometimes see a brief hold before delivery. It's not your fault, and it's not a sign your domain has a reputation problem. It's just the gateway doing its job.
What triggers a malicious flag? Common behavioral signals include the file trying to reach out to a command-and-control server, dropping a secondary executable onto the system, spawning PowerShell processes unexpectedly, or attempting to read credential files. Any one of these in a real inbox would be bad news.
The evasion problem. Sophisticated malware knows it might be inside a sandbox. Some strains deliberately sleep for longer than the analysis window (often 30-120 seconds) before doing anything harmful. Others check for sandbox artifacts like virtual machine drivers, unusually fast CPUs, or a lack of real mouse movement, and stay dormant if they suspect they're being watched. (It's a bit like a thief who only steals when they're sure the cameras are off.)
This is why sandboxing is valuable but not the whole story. It layers on top of other detection methods rather than replacing them. Most enterprise-grade tools combine sandbox detonation with header anomaly detection, reputation scoring, and real-time URL analysis to build a fuller picture.
Still if your organization is trying to understand what your current security layer actually catches, our SOS hotline is free and we're happy to talk through what tools fit your setup.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.