CMMC Practice SI.3.220
Utilize sandboxing to detect or block potentially malicious email.
Bold Coast Security Guidance
Evaluate vendors and options for sandboxing email. There are several tools which will open email attachments and check email links before allowing the email to be delivered to user's mailboxes. Be aware that some malware is "sandbox aware" and will not activate, so these solutions can be circumvented. When you have selected as solution, include a description of what will be examined in your policy, and then detail the product, who is responsible for it, and any costs associated with maintaining it in your plan. To meet maturity level, utilize test messages and interview users to determine if malicious emails are still getting through the filter.
CIS CONTROLS V7.1
Minimize the attack surface and the opportunities for attackers to manipulate human behavior through their interaction with web browsers and email systems. Web browsers and email clients are very common points of entry and attack because of their technical complexity, flexibility, and their direct interaction with users and with other systems and websites. Content can be crafted to entice or spoof users into taking actions that greatly increase risk and allow introduction of malicious code, loss of valuable data, and other attacks. Since these applications are the main means that users interact with untrusted environments, these are potential targets for both code exploitation and social engineering. This practice is based on the following CIS control:
7.10 Use sandboxing to analyze and block inbound email attachments with malicious behavior.