# 23 Gmail Security Sandbox + safety-toggle verification

> v0.1.3 · role: Prevent · edition: Biz Std+, Frontline Plus / All · [policy: #7 · #6](https://docs.google.com/spreadsheets/d/1nOztaPd1Y7eNeRSR_hdovYy-ncpx-bAx/edit?usp=sharing&ouid=115159875779023172526&rtpof=true&sd=true)

Security Sandbox detonates incoming attachments in a virtual machine before delivery, catching malware that static scanning misses; it can run for a whole OU or be narrowed by rules (external senders only, high-risk OU only) if the delivery delay is unaffordable tenant-wide. The other half of this control is free on every edition: Gmail's Safety toggles for attachments, links and images, and spoofing and authentication — plus the auto-adopt setting that applies future Google-recommended safety settings without a manual review cycle. Those toggles matter as much as the sandbox does, because they ship on defaults that warn rather than quarantine.

## Caveats

- 'Keep email in inbox and show warning' is the default action for several Safety toggles and is not the control — a warning banner a user clicks through is not a mitigation; Quarantine or Move email to spam are.
- Security Sandbox delays delivery by up to about 3 minutes — announce it before enabling it tenant-wide, or unexplained mail latency generates its own incident.
- Security Sandbox is available on Business Standard and Plus, Enterprise Standard and Plus, and Frontline Plus — on editions without it only the Safety half of this control is available, and it fully applies.
- 'Enable virtual execution' scans every attachment — which makes targeted sandbox rules redundant.

## Setup steps

1. Scroll to Security sandbox and enable pre-delivery detonation of attachments for the whole OU (organizational unit) rather than maintaining rule exceptions. — `Apps › Google Workspace › Gmail › Spam, Phishing and Malware`

   Enable virtual execution of attachments in a sandbox environment = checked

   docs: [Set up rules to detect harmful attachments](https://knowledge.workspace.google.com/admin/gmail/advanced/set-up-rules-to-detect-harmful-attachments)

2. If you cannot afford the delivery delay tenant-wide, configure targeted rules instead (e.g. only messages from outside the domain, only to the high-risk OU). — `Apps › Google Workspace › Gmail › Spam, Phishing and Malware › Security sandbox rules`

   Security sandbox rules > Configure > match: sender is external AND recipient in high-risk OU

   docs: [Set up rules to detect harmful attachments](https://knowledge.workspace.google.com/admin/gmail/advanced/set-up-rules-to-detect-harmful-attachments)

3. Verify every Safety toggle is on and set to the strict action — these are the free half of this control, configured setting-by-setting by [№19](residual-mail-hygiene.md). — `Apps › Google Workspace › Gmail › Safety`

   Attachments (encrypted, scripts, anomalous types), Links and external images (shortened URLs, linked-image scanning, untrusted-domain warnings), Spoofing and authentication (domain spoof, employee-name spoof, inbound unauthenticated, unauthenticated images) = all On; action = Quarantine or Move email to spam

   docs: [Advanced phishing and malware protection](https://knowledge.workspace.google.com/admin/gmail/advanced/advanced-phishing-and-malware-protection)

4. Turn on 'Apply future recommended settings automatically' in each Safety section (Attachments, Links and external images, Spoofing and authentication) so future Google-recommended settings apply without a manual review cycle. — `Apps › Google Workspace › Gmail › Safety`

   - **Apply future recommended settings automatically** = checked in each section (Attachments, Links and external images, Spoofing and authentication)

   docs: [Advanced phishing and malware protection](https://knowledge.workspace.google.com/admin/gmail/advanced/advanced-phishing-and-malware-protection)

## How to verify

1. Confirm the sandbox and safety toggles on the OU, then check the security sandbox verdicts appear in the investigation tool for recent attachments.

## Settings screens

- Apps > Google Workspace > Gmail > Spam, Phishing and Malware (Security Sandbox)
  - console: https://admin.google.com/ac/apps/gmail/spam
  - screenshot: ../screenshots/admin.google.com/ac/apps/gmail/spam.png
- Apps > Google Workspace > Gmail > Safety
  - console: https://admin.google.com/ac/apps/gmail/safety
  - screenshot: ../screenshots/admin.google.com/ac/apps/gmail/safety.png
