Sophos Email customers using IP-based mailflow rule connectors must migrate to certificate-based configuration by March 31st. To see if you're affected Click Here.

Get unparalleled visibility into email attachments detonated in the Sophos cloud sandbox, with a breakdown of threat verdicts based on machine learning analysis, file reputation scores, VirusTotal results and Mitre ATT&CK Matrix tactics.


About Sophos Email Sandbox (Sandstorm)

The sandbox is an effective way to keep malicious behavior and malicious threats off the network and your endpoints.

The way it does that is by convicting attacks based on their behaviour and not their appearances, so a very effective way to give you protection against zero-day threats. Sophos Sandstorm is a feature available with Sophos Email Advanced at no extra cost.


How it works:

Sandstorm selects potentially malicious files to be executed within an isolated virtual machine where we observe he files behaviour. That includes all the processes, file activity, registry activity, network connections.

Sandstorm then decides about whether or not the file is malicious based on the observed behaviour. And this is very important because these days threats are constantly changing their appearance.  Malware authors are very persistent at changing their code, obfuscating it, encrypting it, to make it look different than it looked before. What remains constant is the behavior of the malicious threats.

Each week Sophos process 75k detonations of potentially malicious file. That’s how many times we execute a file in the sandbox. And in terms of conviction, roughly 1 in every 25 samples that we detonate in the sandbox is convicted. To rationalize that, for every 25 times a file selected for analysis, at least one of them was a potential ransomware attack, or other malicious threat that could cost the business 100k’s of dollars. So very important to provide this layered protection.


How Sophos Email selects files for execution in the sandbox

This is where the Sophos sandboxing offering has a real edge, as all the expertise of SophosLabs is essentially built into our prefilter for our sandbox – building in over 35 years of data.

The pre-filter is our first stage of analysis, where we identify ‘known clean’ files, none of those flow through the sandbox. And that makes up 30% of the files we see.

The next 10% which can be eliminated and not sent to the sandbox are the ‘known bad” files. Because the selection logic is using our virus scanning engine, any files that we already detect as malware do not need to be selected for sandbox execution because we already know they are malicious. Now we have already eliminated 40% of traffic.

The next 40% fall into a category of ‘unknown’ files, but files which appear to be safe. And these make up the vast majority of the unknow files. The reason is because documents and PDFs that do not contain active content are unlikely to be exploit related files. Therefore while ‘unknown’, we can determine them to be safe.

This leaves us with the ‘unknown bad’, potentially malicious files for detonation in the sandbox – greatly increasing performance. This includes selecting all windows executables, and documents containing active content, or PDFs with active content, or other scripts and files that we know to be abused as an attack vector.


New advanced threat report for Sophos Email Advanced

The latest addition to Sophos Email Advanced, the new Advanced Threat Report provides a summary of inbound messages that were detonated in the sandbox environment, filterable by date and scan result for the last year.


Providing new detail message summary overviews including message details, attachments, and scan verdict. While also providing insight into how many times that file has been detected at your organizations (detected in mailboxes on a domain protected by Sophos email in the same Sophos Central account).


Going further than ever to surface the results static analysis results including file summary information, clear overall verdict, machine learning analysis, file reputation, file analysis, and Virustotal report findings.


As well as going deeper with the results of Sandstorms dynamic file analysis including Mitre ATT&CK Matrix results, processes run, file activity taken, an activity tree detailing the actions that file tried to take in the virtual environment, as well as screen shots of the files activity for your review.


Sophos Sandstorm, with its latest enhancements, it’s now like having Intercept X inside Sophos Email, only turbo charged. Using the same machine learning, CyrptoGuard and WipeGuard protection found in our next gen endpoint product to add additional layers of protection when analyzing a files behavior… before threats make it into your inbox and onto the network.