In recent years, the use of tools known as sandboxes has grown significantly. These platforms offer a secure, isolated environment in which suspicious files, emails and potentially harmful links can be examined without risking compromise of the main system. In practice, a sandbox simulates a complete operating system, allowing users to run and analyse the behaviour of suspicious software or files in a controlled environment.
Services such as VirusTotal, JoeSandbox and Any.Run are examples of these solutions, providing valuable support in identifying cyber threats and preventing attacks. These tools allow you to observe how a file behaves when it is executed, detecting malicious activity such as attempts to connect to external servers or unauthorised changes to the system.
It is essential to be aware of the risks associated with the indiscriminate use of such platforms. Many services publish reports of their analyses, making this data accessible to the public. This means that specific data and technical details of the organisations that upload the files may end up in the hands of malicious individuals, exposing companies to additional security risks.
Sandbox: associated risks
Experience clearly shows that, despite the benefits of public sandboxes, it is crucial to carefully assess the implications for privacy and data security. Often, the problem lies not so much in the tool itself as in the approach taken by users, who upload sensitive data without due care. The associated risks mainly concern three categories of information:
1 / Personal data: uploaded files often contain sensitive data about individuals, or even entire lists of employees from different companies. This data can be exploited by malicious individuals to carry out targeted phishing campaigns or implement fraudulent schemes, such as FakeBoss or other social engineering techniques.
2 / Company secrets and internal documents: it is not uncommon for the files analysed to contain confidential information, contracts, internal regulations and documentation from business partners, thus exposing the company to the risk of industrial espionage and loss of competitive advantage.
3 / Indications of cybersecurity incidents: many uploaded documents are tangible signs of possible internal cyber compromises. Not only decoy files, but also real company documents that, if made public, could further compromise the security and reputation of the organisations involved.
Among the platforms examined, Any.Run is particularly interesting, as it allows registered users not only to view reports but also to download the analysed files, a possibility that is limited in other sandboxes such as VirusTotal and JoeSandbox.
An analysis of files uploaded by users in Russia between 2024 and 2025 showed that the category most frequently involved in exposures is personal data, with numbers ranging from a few hundred to thousands of records per incident. One single document, for example, contained nearly 1,300 personal records.
How to avoid risks
To protect your organisation from the risks associated with using public sandboxes, it is important to take a number of preventive measures. Here are some key strategies to consider:
1 / Use private sandboxes: opt for private sandboxes or dedicated enterprise versions that do not publish the data analysed. These solutions offer an additional level of security by keeping sensitive information within the organisation.
2 / Adopt MDR (Managed Detection and Response) services: to monitor anomalous activity and respond promptly to potential threats. These services help identify and manage security incidents in real time.
3 / Educate employees: inform staff about best practices for using public sandboxes. Ensure they understand the potential risks and know how to use these tools safely.
4 / Conduct regular risk assessments: carry out regular risk assessments to identify vulnerabilities and areas for improvement in cybersecurity management.
5 / Integrate cyber threat intelligence: to obtain up-to-date information on emerging threats. This proactive approach allows you to anticipate and prevent cyber attacks, improving the organisation’s defence capabilities.
6 / Implement clear company policies: establish precise guidelines on the uploading and management of particular files. Policies should clearly define what types of files can be uploaded to external platforms and by whom.
7 / Monitor shared information: regularly check what information is shared externally via these platforms. This monitoring allows you to intervene quickly in the event of unwanted exposure, minimising potential damage.
Companies must pay close attention to file uploads in public sandboxes to avoid serious risks, both in economic terms, through heavy fines, and in criminal terms, as they may incur severe legal penalties.
Analysis by Vasily Kononov – Threat Intelligence Lead, CYBEROO
