Testing Suspicious emails using Windows Sandbox
Co-workers often forward me emails when they are unsure if it is a valid email or something malicious. As one of the IT managers, I need to evaluate these emails in a safe environment. The tool I use for this is Windows Sandbox.
Windows Sandbox was added as a feature to Windows 10 with the May 2019 Update (version 1903). Every time you start Sandbox, it creates a Virtual Machine with a clean install of Windows 10. When you shut it down, the image is erased. This makes it an ideal environment for testing untrusted applications, links, and emails.
To enable Windows Sandbox, first make sure you have the minimum requirements:
- Windows 10 Pro or Enterprise, version 1903.
- Hardware virtualization enabled in your BIOS
- At least 2 CPU cores
- 4 GB of memory
- 1 GB of available disk space
Once the minimum requirements are met, click Start, then find ‘Turn Windows Features On or Off”. Select the Windows Sandbox feature and click Ok. Reboot when prompted.
To use Windows Sandbox, click Start, search for the Windows Sandbox icon and click on it. A new VM will start. Depending on your hardware, it will take between a few seconds and a minute or two.
For testing emails, I use the included Microsoft Edge browser to open Outlook Web Access. Then I can access the questionable email and evaluate it. If there’s a link involved, I can open the link without fear of lasting virus infections. In many cases, they are phishing emails that lead to fake login screens. Once I see such a login screen, I can confirm that the email is not legitimate and let the end-user know. Make sure not to enter any credentials beyond your initial OWAW login.
You can also copy & paste files (but not drag/drop) from your physical machine into the Sandbox VM. This makes it easy to test questionable software applications. You could even install your preferred anti-virus application in the Sandbox for testing websites or applications.
Once you are done testing within the VM, click the top right X to close it. Lastly, click Ok in the confirmation window, and the VM will be permanently erased.