When someone like Steve has listeners all over the world, the same ideas might come from 10 different places and in as many ways, but it's fun to imagine that may one of your emails may have prompted a show idea. Smiles aside, it seems to me that some variation of this sandbox email solution could be huge in limiting the most common vector of attack on businesses, phishing/business email compromise. It's something I use daily now. Why post this? You all can improve this in ways that would take me a long time to recognize and longer to implement. Any thoughts? Thanks y'all.
**************************
March 26, 2025
Dear Steve,
Regular listener for about 4 years and SpinRite owner. I'm an attorney and don't even have the coding skills of a script kitty, but I have used computers since owning an Atari 400 32k home computer in 1982, and I started using Vax workstations the same year.
I think daily about how everyone in the entire office must open pdfs and other documents from unknown senders. They might be from attorneys we've never heard of, mortgage processors and title companies asking about a judgment we obtained for a client, requests for information, etc.
I've looked around, and maybe I'm simply missing it, but I've often wondered why we are not viewing email and documents through online browser access inside a sandbox since the threat actor would need to weave through the email provider security, evade anti-virus on our machines and escape the sandbox to do damage.
It seemed like we could use a relatively simple, easy, one-click way [plus login] for the least-sophisticated office worker to open their email, log in and use email inside a sandbox.
Looking into it, I found that after the the bios settings are enabled to permit hyper-threading, (I think most are) and after Hypervisor is enabled in Windows 10 Pro or Windows 11, the machine is capable of spinning up a sandbox with a pristine operating system as a separate window. There are apparently some hoops to jump through to enable hypervisor in non-Pro versions of Windows 10.
I found that executing few lines of XML code saved in Notepad to a *.wsb file could open a browser inside a sandbox. Creating a desktop icon linking to the wsb file made it a one-click process, but being the non-coder that I am, I couldn't make the browser open to the email login page. I took your advice, and after three or four sessions, I finally hit on the right prompt for ChatGPT 4 to tell me the structure of the code needed to open email login URL page inside a browser which is inside the sandbox.
Below is the end of my conversation with ChatGPT which responded to me feeding it XML code that contained a curl command which didn't work. The bold is my response after its solution worked, and then ChatGPT responds...
[Me] Thank you ChatGPT!! The Code change works perfectly! With proper implementation this code can prevent the majority of business email compromise by logging into a Microsoft Office 365 account within the Sandbox and viewing email and attachments inside the Windows Sandbox. An attacker would need to escape the Sandbox to get to the host machine. This simple code can save millions of dollars. [If you try this, use the code further below which has an addition.]
<Configuration>
<Networking>Enable</Networking>
<LogonCommand>
<Command>"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://login.microsoftonline.com</Command>
</LogonCommand>
</Configuration>
[ChatGPT] You're very welcome! I'm so glad to hear the code works perfectly for you.
You've brought up a fantastic point about security—using a Windows Sandbox to isolate sensitive login sessions like those for Microsoft Office 365 adds an extra layer of protection against business email compromise (BEC) and other potential threats. By running the login process inside the sandbox, even if an attacker were to compromise the browser session, they would be confined to the sandboxed environment and unable to affect the host machine. This approach helps reduce risk significantly and could certainly save organizations a great deal of money by preventing potential breaches. It's a simple yet effective use of Windows Sandbox to improve security—love the idea! If you have any more questions or need further enhancements in the future, feel free to ask! I'm here to help. 
This is one of those times where I wished that I believed that ChatGPT truly learns.
So, here's the too-simple, one-click solution to open a Windows hypervisor sandbox to an email log in page inside an Edge browser. [The code goes into Notepad, saved as (filename).wsb, then create a desktop icon link to it]
<Configuration>
<Networking>Enable</Networking>
<ClipboardRedirection>Disable</ClipboardRedirection>
<LogonCommand>
<Command>"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://[Login Page URL Here]</Command>
</LogonCommand>
</Configuration>
In addition to the web, anti-virus and sandbox protections, the implementation doesn't have access to the Windows clipboard, and any download is saved to temporary memory allocated to the WDAGUtilityAccount. If the email and documents turn out to be legitimate, the person opens up Outlook, etc. in a separate window with access to the system There are no passwords to steal. A user can click the bad link and look at a bad page with some forgiveness. They can grab the URL and look up the ICANN information to see that the website was spun up two days ago. The vast majority of bad things go away with clicking X to close the sandbox so long as the person simply does not put their credentials in anywhere following an email click.
I'm not sure what percentage of the threats this would eliminate, but I suspect that it's high. I figure that if the actor has the technical sophistication to escape these layers, we're probably screwed as a target anyway.
This solution is probably so simple that virtually all of your listeners will say, "I can do better than that." Actually, I'm kind of hoping that they do. I've thought of various tweaks that I might want to add functionality, but for the moment, simple and focused will do.
Appreciate all you do!
*******************
**************************
March 26, 2025
Dear Steve,
Regular listener for about 4 years and SpinRite owner. I'm an attorney and don't even have the coding skills of a script kitty, but I have used computers since owning an Atari 400 32k home computer in 1982, and I started using Vax workstations the same year.
I think daily about how everyone in the entire office must open pdfs and other documents from unknown senders. They might be from attorneys we've never heard of, mortgage processors and title companies asking about a judgment we obtained for a client, requests for information, etc.
I've looked around, and maybe I'm simply missing it, but I've often wondered why we are not viewing email and documents through online browser access inside a sandbox since the threat actor would need to weave through the email provider security, evade anti-virus on our machines and escape the sandbox to do damage.
It seemed like we could use a relatively simple, easy, one-click way [plus login] for the least-sophisticated office worker to open their email, log in and use email inside a sandbox.
Looking into it, I found that after the the bios settings are enabled to permit hyper-threading, (I think most are) and after Hypervisor is enabled in Windows 10 Pro or Windows 11, the machine is capable of spinning up a sandbox with a pristine operating system as a separate window. There are apparently some hoops to jump through to enable hypervisor in non-Pro versions of Windows 10.
I found that executing few lines of XML code saved in Notepad to a *.wsb file could open a browser inside a sandbox. Creating a desktop icon linking to the wsb file made it a one-click process, but being the non-coder that I am, I couldn't make the browser open to the email login page. I took your advice, and after three or four sessions, I finally hit on the right prompt for ChatGPT 4 to tell me the structure of the code needed to open email login URL page inside a browser which is inside the sandbox.
Below is the end of my conversation with ChatGPT which responded to me feeding it XML code that contained a curl command which didn't work. The bold is my response after its solution worked, and then ChatGPT responds...
[Me] Thank you ChatGPT!! The Code change works perfectly! With proper implementation this code can prevent the majority of business email compromise by logging into a Microsoft Office 365 account within the Sandbox and viewing email and attachments inside the Windows Sandbox. An attacker would need to escape the Sandbox to get to the host machine. This simple code can save millions of dollars. [If you try this, use the code further below which has an addition.]
<Configuration>
<Networking>Enable</Networking>
<LogonCommand>
<Command>"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://login.microsoftonline.com</Command>
</LogonCommand>
</Configuration>
[ChatGPT] You're very welcome! I'm so glad to hear the code works perfectly for you.
You've brought up a fantastic point about security—using a Windows Sandbox to isolate sensitive login sessions like those for Microsoft Office 365 adds an extra layer of protection against business email compromise (BEC) and other potential threats. By running the login process inside the sandbox, even if an attacker were to compromise the browser session, they would be confined to the sandboxed environment and unable to affect the host machine. This approach helps reduce risk significantly and could certainly save organizations a great deal of money by preventing potential breaches. It's a simple yet effective use of Windows Sandbox to improve security—love the idea! If you have any more questions or need further enhancements in the future, feel free to ask! I'm here to help. This is one of those times where I wished that I believed that ChatGPT truly learns.
So, here's the too-simple, one-click solution to open a Windows hypervisor sandbox to an email log in page inside an Edge browser. [The code goes into Notepad, saved as (filename).wsb, then create a desktop icon link to it]
<Configuration>
<Networking>Enable</Networking>
<ClipboardRedirection>Disable</ClipboardRedirection>
<LogonCommand>
<Command>"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://[Login Page URL Here]</Command>
</LogonCommand>
</Configuration>
In addition to the web, anti-virus and sandbox protections, the implementation doesn't have access to the Windows clipboard, and any download is saved to temporary memory allocated to the WDAGUtilityAccount. If the email and documents turn out to be legitimate, the person opens up Outlook, etc. in a separate window with access to the system There are no passwords to steal. A user can click the bad link and look at a bad page with some forgiveness. They can grab the URL and look up the ICANN information to see that the website was spun up two days ago. The vast majority of bad things go away with clicking X to close the sandbox so long as the person simply does not put their credentials in anywhere following an email click.
I'm not sure what percentage of the threats this would eliminate, but I suspect that it's high. I figure that if the actor has the technical sophistication to escape these layers, we're probably screwed as a target anyway.
This solution is probably so simple that virtually all of your listeners will say, "I can do better than that." Actually, I'm kind of hoping that they do. I've thought of various tweaks that I might want to add functionality, but for the moment, simple and focused will do.
Appreciate all you do!
*******************
