Table of Contents |
---|
2024-0708-2420
Info |
---|
Rolling out throughout July 24th, 2024. |
Status | |
---|---|
|
...
|
...
|
...
Receiving sharing links from third parties has been the cause of many concerns due for phishing. We’ve added a new Caution Threat Category called External Sharing Link. This category will currently work against SharePoint and OneDrive shared objects but will expand to other third-party services in the future.
The protection will be enabled by default but will not contain any “Trusted” Microsoft tenants.
...
For Microsoft Tenants that you DO NOT wish to receive an External Sharing Link warning you can simply add their tenant’s name in the “Do not warn about the following trusted Microsoft tenant domains” multi-box and it will suppress the External Sharing Link threat category for that tenant.
The tenant’s name is the subdomain of the tenant address found within an M365 system that ends in .onmicrosoft.com
for example, polvocapital.onmicrosoft.com
- polvocapital
would be entered in the multi-box to suppress the External Sharing Link threat category for Polvo Capitals tenant.
The External Sharing Link threat category by itself is just a caution banner, however, if it’s coupled with additional categories, such as First-Time Sender, it’ll push towards being a dangerous message more quickly than previously. It’s also possible that the External Sharing Link threat category rises to a Danger threat level by itself if it’s coupled with raw suspicious text, such as Contract Bid, Quote Request, Secured Document
or other similar terms that are more frequently used in phishing attempts.
...
DMARC Monitoring
With this release comes the launch of INKY’s DMARC Monitoring as generally available.
INKY's DMARC Monitoring solution streamlines the DMARC process by offering a dedicated reporting address to collect these RUA reports. The service then aggregates and analyzes the data, presenting it in an intuitive dashboard. This empowers administrators to quickly identify issues and take appropriate action, ensuring robust email security and maintaining domain integrity.
DMARC Monitoring requires an extra entitlement, please reach out to support@inky.com or your account executive to get enabled for a trial.
Learn more: DMARC Monitoring
Status | ||||
---|---|---|---|---|
|
We’ve added a new threat category called Executable File which defaults to a yellow caution banner. While most organizations would never see these messages to begin with, due to default Microsoft and Google settings, some have requirements to process all emails. This category is given when one of the referenced filetypes is found in an email: Executable File Extensions Reference
Status | ||||
---|---|---|---|---|
|
Used primarily as a fall back for the approval flow INKY now supports the wildcard “*” pattern in the Sender Pattern qualification input.
The below screenshot is an example of a fallback approver set to matt@polvocapital.com where any email that doesn’t have a more specific approver setup will fall back to.
...
Status | ||||
---|---|---|---|---|
|
...
Signature Max Width Configuration
Found at on the bottom of https://app.inkyphishfence.com/settings/api-access for a given team you’ll find an option to enable or disable Delegated Access to Tenant Mail Content.
When Delegated Mail Content Access is enabled, parent and ancestor organization administrators will be authorized to access sensitive mail content within your tenant, such as the body of the mail. Note that this applies only to administrators who can remediate mail (Policy Admin, Super Admin).
To modify this section, you must be signed in as an administrator with mail content permissions on the team's tenant and have Directory and Remediation API Access granted.
This is not the MSP admin account but the end customers admin account.
...
Status | ||||
---|---|---|---|---|
|
When adding an action to an Outbound Mail Protection rule you can select the Cog Icon to customize the action setting. This action configuration now allows you to include read receipts when sending encrypted messages.
As an admin navigate to https://app.inkyphishfence.com/settings/outbound and configure your specific rule and when you add the encryption action you can select “Send Read Receipts”
...
When an end user opens an encrypted email by navigating through the login process the sender of the encrypted email will receive the below Email Encryption message view notification.
...
Status | ||
---|---|---|
|
Adding a readable action summary to the Outbound Mail Protection rule editor gives admins more visibility on the exact actions that are selected.
...
Status | ||
---|---|---|
|
If your team utilizes Cybsafe on the https://app.inkyphishfence.com/settings/phishing-awareness-training we’ve updated the matching algorithm to ensure we identify their phishing training emails. No action is required if the Cybsafe provide is already selected.
Status | ||||
---|---|---|---|---|
|
There may have been times, when scrolling through large list of messages on the message list view within the Observations Page or Custom Dashboard. We’ve implemented a fix that should resolve this issue but if you continue to experience it, please reach out to support@inky.com.signatures configuration page under the Styling & Formatting section is a new Maximum signature width option. This width defaults to 600px which is the maximum we’d recommend. Based on screen sizes of modern devices including laptops, tablets, and phones we’d recommend the following sizes below, but you can play around with whatever works for your organization.
Max: 600px
Best Fit: 450px
Min: 320px
If you have a banner image that is larger than the maximum width set, then it will extend past that boundary.
...
Status | ||
---|---|---|
|
QR code phishing has become one of the most rapidly growing forms of phishing, especially since QR codes gained popularity during the global pandemic. Recently, INKY has observed a new evolution of this tactic, where QR codes are constructed using HTML tables and ASCII characters. We've noticed this technique emerging over the past few months and have implemented protections against it. Now, we’d like to share how it works and how we defend against it.
We’ve encountered this technique before, particularly when attackers impersonate the Microsoft brand. Take a look at the table below; it closely resembles the Microsoft logo. While Confluence might not fully capture the colors, it’s possible to get much closer in an email. Creating a logo using a table that closely mimics the standard Microsoft logo at a glance is an effective way to bypass detection platforms that don’t scan rendered images—unlike INKY, which employs Computer Vision (CV) checks. While it looks like a table when scanned by a machine, our CV checks reveal it as a brand impersonation of Microsoft.
...
Now, apply this concept to a QR code. QR codes are simply groups of black squares arranged in a way that allows users to scan them with a camera to navigate to a link. But what if you created a table of squares, filled in with black or white backgrounds, or even used the ASCII character █, to mimic a QR code?
While this technique might seem time-consuming, filling in the squares can be automated with simple scripting and then deployed at scale. Take a look at the examples below. The first image is the QR code without the table's grid lines—it looks exactly like a typical QR code but is incredibly difficult to detect because it’s not a standard image format. The second example reveals the grid lines, exposing the underlying technique.
INKY can detect this new technique in the same way we detect brand impersonations of Microsoft using tables—by analyzing the rendered DOM to see what the user sees. Although the email contains <table>
or <pre>
tags instead of an image in the HTML, our Computer Vision checks recognize that the user is actually seeing a QR code. INKY then scans the QR code and assesses whether it's dangerous. Even if it’s not classified as dangerous, INKY will still use the Email Assistant Banner to warn users with a message like “Beware of unexpected QR codes from unknown senders.” If the QR code is deemed dangerous, we’ll mark the email as malicious and send it to the admin quarantine based on your delivery settings.
...
Status | ||
---|---|---|
|
INKY has introduced a new checkbox option to enable authentication for VIP List checks. Previously, INKY would strictly match any "From" email address against the VIP list, considering it a match even if the email didn't pass authentication.
With this new option, the VIP list becomes more secure by requiring authentication for the "From" email address. This feature is currently rolling out to all customers and will become the default setting for all new teams in the future.
To enable this option, navigate to VIP List Settings.
...
Status | ||
---|---|---|
|
If an email address or domain listed on the block list is found within the Reply-To of a message then it will also match for that given block list entry.
For example, if a block list entry is added for tyler@productreport.ai
or productreport.ai
then it would apply to this email because the Reply-To is listed as that email address/domain.
...