Systems and methods for mitigation of time-delay based network attacks are provided. According to one embodiment, an email directed to a user of an enterprise and containing a potentially malicious link is received by a mail server of the enterprise. At a first time, a file to which the potentially malicious link points is evaluated within a sandbox environment and a first hash value is generated based on contents of the file. At a second time, evaluating, by the sandbox environment, a second file to which the potentially malicious link points, including downloading the second file to which the potentially malicious link points to at the second time and generating a second hash value based on contents of the second file. When the two hash values differ, then the second file is treated as a suspicious or high risk file or is evaluated within the sandbox environment.