Recorded Future Sandbox can analyze emails directly, quickly pulling out attachments and URLs to run in virtual machines (VMs). However, the mechanism may be a little different to those found elsewhere. This article examines how it works and detail how to get the most out of the feature.
Uploading an email
Emails can be submitted in .eml and .msg formats. These are effectively archive files that contain the text of the email bundled with any attachments and other included data. The sandbox treats them as such, extracting them in the same way as .zip and similar formats during the static analysis phase.
In the following example, the email contains a short piece of text with an embedded link and 2 attachments - a Word document and a .zip file containing an Excel document.
Once uploaded, all attachments display in the File Tree section of the configuration page. By default, the sandbox auto-selects any files that may benefit from behavioral analysis and appear on the list of supported file formats (more details in our docs here).
Selecting attachments
Looking at the File Tree section of the screenshot above, there are a few points to note:
- .docx and .xlsx are supported file types, so these are both automatically selected for behavioral analysis in VMs
- The email text content is saved as .txt files within the archive; .txt is not supported for behavioral analysis so these are not selected
- .eml and .zip are archive formats - just wrappers around the actual content; these are not selected for the behavioral analysis stage
- URLs are extracted and shown separately on the right
It is possible to manually override the automatic file selection, but note that unsupported file types may not react as expected within the VMs due to not having the relevant software installed. For the best sandbox experience, only submit the automatically selected files for behavioral analysis.
Important note: Submitting the .eml file to behavioral analysis does not yield useful results. The attachments and URLs should be selected directly for best results.
API
The submission API works the same for emails as for other archive files like .zip; attachments are extracted and selected as shown above, and on default settings (with the interactive flag set to false) behavioral analysis launches automatically for each relevant file with no further steps necessary.
Documentation and examples on how to submit samples via the API is available here.
Selecting URLs
Referring back to the screenshot above, the URL embedded in the email is extracted and displayed in the section on the right.
To submit a URL for behavioral analysis, click on the “Analyze” button next to it. This launches a new URL submission for that link, where you can select configuration options separately from the file analysis (for example, to enable Tor networking).
URLs are not automatically selected or submitted for analysis unless selected in this way.
API
Extracted URLs are shown in the static report for the analysis, and can then be re-submitted as URL analyses via new requests.
The process looks like this:
Step 1. Submit .eml file to sandbox
Request:
curl -H 'Authorization: Bearer <API_KEY>' -F 'file=@./eml_example.eml'
-F 'interactive=true' https://tria.ge/api/v0/samples
Response:
{"id":"250212-mslr9azrbv","status":"pending","kind":"file","filename":
"eml_example.eml","submitted":"2025-02-12T10:43:42Z"}
Note the interactive flag in the request above. If you only want to look at the URLs in an email and aren’t concerned about attachments, this flag causes the sandbox to stop and wait after static analysis, rather than immediately scheduling analysis tasks for any files found. You can leave this out of the example above if preferred.
Step 2: Fetch the static analysis report
Request:
curl -H 'Authorization: Bearer <API_KEY>'
https://tria.ge/api/v0/samples/250212-mslr9azrbv/reports/static | jq
-r .files[0].metadata.urls
Response:
[
"https://hatching.io/blog/#category=all"
]
Here, use the ID value returned by Step 1 to fetch the static analysis report and then use the jq command to filter only the URLs field.
There can be multiple files in an analysis, but in this case the .eml/.msg file itself is index 0 in the list so we can target that directly. Depending on use case, it may be best to iterate through the full files list - for example, PDF files can also have URLs extracted from them during static analysis, and this would catch any coming from that source.
Step 3: Submit URL analysis
Request:
curl -H 'Authorization: Bearer <API_KEY>' -F
'url=https://hatching.io/blog/#category=all'
https://tria.ge/api/v0/samples
Response:
{"id":"250212-mwgygawc2c","status":"pending","kind":"url","url":
"https://hatching.io/blog/#category=all","submitted":"2025-02-12T10:48:44Z"}
The analysis now runs the URL on default settings in a VM. You can view the analysis live and access the live interaction feature by visiting the URL in your browser. Just add the ID value to the end of the URL for the sandbox instance you use (e.g., https://tria.ge/250212-mwgygawc2c).