• Adam Goodley

What is an email sandboxing service?

In this blog we are going to talk about what an email Sandboxing service is and what it can do for your organisation - in partnership with Libraesva.

"94% of malware is delivered via e-mail"

Verizon via Cyber Security Online.

The above is a scary number and at any point in time you, as an individual or business, can be a victim of such malicious intent. But there are ways of protecting yourself, enter Sandboxing. Sandboxing is a technique in which you create an isolated test environment, a “sandbox,” in which to execute or “detonate” a suspicious file or URL that is attached to an email or otherwise reaches your network and then observe what happens. If the file or URL displays malicious behaviour, then you’ve discovered a new threat. The sandbox must be a secure, virtual environment that accurately emulates the CPU of your production servers.

Sandboxing is particularly effective at defending against zero-day threats. Traditional inbound email filters scan emails for known malicious senders, URLs, and file types. Unfortunately, there are dozens of new (or “zero-day”) threats that appear every single day and are not yet discovered by email filters.

So how can you dig your way out of this one?

Sandboxing, which is a key component of advanced threat protection, provides an added layer of protection in which any email that passes the email filter and still contains unknown URL links, file types, or suspicious senders can be tested before they reach your network or mail server.

What is the Libraesva URLs and sandboxing service?

Libraesva's Email Security Solution provides peace of mind, its flexible, modular and affordable and the cherry on the top is that it also provides a sandbox environment. It is a service available on all Libraesva ESG appliances starting with version 4.0. It is easily enabled (just go to System -> Content Analysis -> Sandbox Filters by checking the “Enable URI Sandbox” checkbox - and your done!)

This option can be customized for each domain, which means that you can enable it for the whole appliance and disable it for some domain or keep it disabled by default and enable it only for some domain.

"Over 60% of attacks can be avoided" Do not let your company be a victim here.

Cyber Security Online.

So how it does work?

If the option is enabled for the recipient domain, the Libraesva appliance rewrites the URIs it finds inside emails so that when the final recipient clicks on the link it doesn’t go to the original URI but, instead, to the EsvaLabs URI Sandbox service.

Here is an example:

Original URI:

Rewritten URI:

When the user clicks on the link, the EsvaLabs URI Sandbox will analyse the target URI in real time by performing lookups on known malware/phishing URI lists and by actively analysing the contents of the page looking for malicious behavior.

If the URI has recently been analysed, the response of the Sandbox will be immediate and, if classified as “clean”, and immediate redirect is performed.

If the page has not been recently analysed, it will be retrieved and scanned, if redirects are found the checks are repeated for all the intermediary URIs. This can take up to a few minutes depending on the number of intermediary pages and the speed of the servers serving those pages.

The user is allowed to skip the checks but warned about it, and the complete URI is shown to allow the user to decide whether to trust it or not.

If the URI is classified as “dangerous” a blocking page is displayed.

The option “I accept the risk and want to follow this dangerous link” can be disabled with the Libraesva ESG configuration flag “Do not allow users to skip URI Sandbox checks”.

If the URI is classified as “suspect” a warning page with the website screenshot preview is displayed to allow visual checks of the requested website.

The option to show suspect website preview to the user can be disabled with the Libraesva ESG configuration flag “Show preview for suspicious pages”.


You may have concerns regarding privacy of the emails, but you should not worry. Libraesva gather the absolute minimum amount of information they need to provide the service. In the rewritten URI you can see that there are only three parameters:

  • The original URI

  • A unique ID of the Libraesva ESG appliance that has rewritten the URI

  • A checksum that guarantees the integrity of the data

The last two parameters are required to verify that only legit URIs are processed by the service (i.e. URIs rewritten by Libraesva ESG appliances) and that the URI has not been tampered with.

The identity of the recipient of the email is not provided to the Sandbox. Of course the original URI may contain parameters that could identify the recipient, this is inevitable. For example, a URI to unsubscribe from a mailing list might contain the email address of the recipient.

The Sandbox service is accessed via HTTPS which protects the whole conversation between the user’s browser and the sandboxing service.

The Sandbox engine may forward the requested URI to external services to improve the detection.


Libraesva provides and maintains a list of exceptions via it’s usual update service. This list instructs the ESG appliance not to rewrite URIs that match these exception list. Only highly reliable services where no user content is available are included in such list.

The administrator of the Libraesva ESG appliance can add exceptions via System -> Content Analysis -> Phishing Highlight. All URIs for the sites added as “safe” to the “Phishing Sites List” are not rewritten.


In this day and age, attacks are becoming more targeted and more complex but there are ways to protect yourself and avoid loss of data, reputational damage and financial harm. A blanket level protection is a fantastic start but the attacks are evolving and therefore a sandbox environment helps ensure an additional level of security against new levels of maliciousness.

For more information. Contact us here

131 views0 comments

Recent Posts

See All