You can safely open and interact with reported emails using the sandbox environment. This feature is designed to help administrators make informed judgements about reported emails. By safely interacting with messages, links, and attachments in an isolated environment, admins can better assess intent and correctly attribute emails as spam, phishing, or legitimate.
To open an email in a sandbox, it needs to be reported, and it cannot be a simulated phishing email. To get started with email reporting, head to our Report Email Launch Pad.
How to access the sandbox
Go to Reporting.
Select Reported Emails.
Click the email you want to review in the Message ID column.
Open the Sandbox tab.
Click Open email in sandbox environment.
The sandbox takes around 5 to 10 seconds to start.
What happens in the sandbox
Once the sandbox loads, the email opens inside Mozilla Thunderbird running in an isolated Ubuntu Desktop Virtual Machine. You can essentially interact with the message as if it were on a real device.
From here, you can safely:
Open and read the email
Click and load embedded links to see where they lead
Open attachments
All activity stays contained within the sandbox, so your own endpoint remains protected.
Session limits
Each sandbox session lasts 15 minutes. After this time, the environment is automatically destroyed.
Abuse Monitoring
Please note that CanIPhish logs and monitors high-level network activity (i.e., IP addresses contacted and DNS queries made) to ensure the sandbox is used for strictly legal and non-malicious purposes.
Comments
0 comments
Please sign in to leave a comment.