| Table of Contents |
|---|
2024-305-1902
| Status | |
|---|---|
|
...
|
...
|
...
The core concepts of the Allow and Block List are remaining the same where an admin chooses an appropriate threat category and criteria to block or allow a particular message. However, there have been a few new additions added to provide more targeted entries when appropriate.
DMARC Authentication
Allow list entries can have “only if passing DMARC” and Block list entries can have an “only if failing DMARC” option.
Allow list entries now prompt you and pre-check “Apply only to messages that pass DMARC authentication (safer option)” when applying a new Allow Entry. This option gives admins more control in which messages apply to the new entries.
...
Given the entry above, with DMARC authentication check, we have two messages below that would be evaluated against it on future deliveries. The first one has an SPF pass for securitytides.com and the second one has no authentication passes. In the future, due to the new allow list entry, the top message, with authentication will not be marked as Spam Content, while the second one will because it has no authentication.
...
On the Block Listing side, admins now have the option to “Apply only to messages that fail DMARC authentication (useful for targeting Spoofing).” Think of this as an internal INKY DMARC failure control where if you receive a spoofed email from a particular sender, domain, or IP address you can have it set block if necessary.
For example, the below entry for google.com would apply the Phishing Content banner to all messages with a FROM header google.combut contains no passing authentication. Normally, individual companies are expected to control their DMARC records to perform this type delivery but having the flexibility within INKY gives you more control.
...
To learn more please review: https://inkyops.atlassian.net/wiki/spaces/AG2/pages/2139160585/Allow+and+Block+Listing#Authentication
Match Subdomains
When adding an Allow Entry against a specific domain admins are now prompted with an option to cover all subdomains for the given domain. The below example shows the option to “Never warn about Spam Content for mail from domain securitytides.com (and subdomains).”
...
Domain Age Analysis
By default, the new "Newly Registered Domain" threat category will classify all emails falling below the specified threshold in the Domain Age Analysis section of the dashboard, accessible here: https://app.inkyphishfence.com/settings/analysis .
To configure, set the Maximum age (in days) for a domain to be deemed "newly registered" within the range of 1 to 60 days. Alternatively, set it to 0 to deactivate this feature.
By default, this Threat Category will trigger a Caution Banner. However, selecting the checkbox will elevate all messages categorized as "newly registered," based on the specified maximum age, to Danger status.
...
| Status | ||||
|---|---|---|---|---|
|
Recently added, a new manual threat category dubbed "Potential Sender Risk" empowers admins to directly flag potential risks within INKY. Paired with the new DMARC authentication method, this feature grants admins greater command over their email flow.
This category can be useful when shared addresses from SaaS services like Dropbox are used during phishing campaigns and are unable to fully block a sender.
Add this category using the normal “Add new entry” option on the Block List configuration page here: https://app.inkyphishfence.com/settings/allowblock-list.
...
Editing Allow and Block List
Allow list and block list entries are now editable. These allow list options can be set when performing allow list message actions and also when manually adding via csv input, or via the More Info > Edit interface. This can be set when manually adding via csv input or via the More Info > Edit interface.
To learn more please review: Editing Allow and Block List
Add/Remove/Edit User Level Allow and Block List
Admins can now manually add (and edit) user-specific allow and block entries as well as manually add Blocked Sender entries (for specific users or at the team level) via the csv input option.
To learn more please review: Add/Remove/Edit User Level Allow and Block List
| Status | ||
|---|---|---|
|
Found on the
...
| Status | ||||
|---|---|---|---|---|
|
Delete Entries from the Allow or Block Lists
Admins can now delete entries from their Allow and Block list. You can delete directly from the active list, as well as the disabled list. Simply select an entry then “More info” to expose the below settings giving the option to delete.
...
Elevate Entries from the Allow or Block Lists at a Team Level to an Organization
Organization Admins can now elevate team level Allow and Block list entries up to the top of their hierarchy, so they apply to all teams.
Make sure you’re on the appropriate organization level, which is denoted in the Team Filter with the skyscraper icon.
...
When accessing https://app.inkyphishfence.com/settings/allow-list and https://app.inkyphishfence.com/settings/block-list pages you’ll now see an Alert column indicating if an entry added to either list is too permissive or restrictive.
For example, the below entry is an Allow List for First-Time Sender that has a “None” criteria meaning it will match on every new message received and never allow another First-Time Sender threat category. With First-Time Sender completely disabled this would be seen as a very permissive allow list entry that these new warnings are meant to highlight to admins.
...
, you'll find the familiar Allow and Block List options. However, a new column labeled "Team" has been introduced in the table entries. Entries marked with "(all teams)" next to the team’s name apply to all child teams within the organization, while those without it apply only to the specific team.
To promote a team-level entry to an organization-level entry, simply select the desired entry, click "More info," and choose "Copy to Organization" in the popup. A subsequent modal will appear, confirming the parent organization and showing the number of teams it will impact.
...
Once copied you’ll see the new entry in the table with the (all teams) designation.
...
| Status | ||||
|---|---|---|---|---|
|
In the Widget Filter Editor, you can now search for specific Phish and Spam content reason categories. Navigate to Analysis → Phish or Spam Content in the filter to view the list of matches. The current expanded categories are listed below. INKY will add more categories as needed.
Spam
Block List
Mostly Blank Message
Pattern Match
Spam Engine
Spam Sender
Upstream Google Classification
Upstream Microsoft Classification
Phish
Bad HTML Attachment
Bad PDF Attachment
Block List
Fake Voicemail
Pattern Match
Personalized Phish
Phishing Sender
The message detail view of a particular message will expand more on what these subcategories are.
...
| Status | ||
|---|---|---|
|
Found at the bottom of the Widget Filter Editor is a new search tool to find a sub filter faster. For example, if I wanted to find the Phishing Content filter from above you can search “phish” and select the appropriate option.
...
| Status | ||
|---|---|---|
|
Added teamId and Recipient To Addresses to metadata tab
Added URL copy/Open in new window buttons
Enabled the message tag editor
New workflow statuses in the timeline with clickable rule names to take user to the Rules tab
| Status | ||
|---|---|---|
|
QR Code detection has been improved to ensure detection even when the DPI of a QR Code image is too low for traditional methods.
| Status | ||
|---|---|---|
|
The Gradient MSP PSA integration now supports INKY's latest products: Graymail, Email Signatures, and DMARC Analysis (coming soon).