| Table of Contents |
|---|
2024-312-1931
| Status | ||||
|---|---|---|---|---|
|
...
|
...
The core concepts of the Allow and Block List are remaining the same where an admin chooses an appropriate threat category and criteria to block or allow a particular message. However, there have been a few new additions added to provide more targeted entries when appropriate.
DMARC Authentication
Allow list entries can have “only if passing DMARC” and Block list entries can have an “only if failing DMARC” option.
Allow list entries now prompt you and pre-check “Apply only to messages that pass DMARC authentication (safer option)” when applying a new Allow Entry. This option gives admins more control in which messages apply to the new entries.
...
Given the entry above, with DMARC authentication check, we have two messages below that would be evaluated against it on future deliveries. The first one has an SPF pass for securitytides.com and the second one has no authentication passes. In the future, due to the new allow list entry, the top message, with authentication will not be marked as Spam Content, while the second one will because it has no authentication.
...
On the Block Listing side, admins now have the option to “Apply only to messages that fail DMARC authentication (useful for targeting Spoofing).” Think of this as an internal INKY DMARC failure control where if you receive a spoofed email from a particular sender, domain, or IP address you can have it set block if necessary.
For example, the below entry for google.com would apply the Phishing Content banner to all messages with a FROM header google.combut contains no passing authentication. Normally, individual companies are expected to control their DMARC records to perform this type delivery but having the flexibility within INKY gives you more control.
...
To learn more please review: https://inkyops.atlassian.net/wiki/spaces/AG2/pages/2139160585/Allow+and+Block+Listing#Authentication
Match Subdomains
When adding an Allow Entry against a specific domain admins are now prompted with an option to cover all subdomains for the given domain. The below example shows the option to “Never warn about Spam Content for mail from domain securitytides.com (and subdomains).”
You’ll also be able to add subdomain matching entries against domains added directly from https://app.inkyphishfence.com/settings/allow-list.
...
Editing Allow and Block List
Allow list and block list entries are now editable. These allow list options can be set when performing allow list message actions and also when manually adding via csv input, or via the More Info > Edit interface. This can be set when manually adding via csv input or via the More Info > Edit interface.
To learn more please review: Editing Allow and Block List
Add/Remove/Edit User Level Allow and Block List
Admins can now manually add (and edit) user-specific allow and block entries as well as manually add Blocked Sender entries (for specific users or at the team level) via the csv input option.
To learn more please review: Add/Remove/Edit User Level Allow and Block List
| Status | ||
|---|---|---|
|
Found on the https://app.inkyphishfence.com/settings/allow-list and https://app.inkyphishfence.com/settings/block-list pages you’ll now see an Alert column indicating if an entry added to either list is too permissive or restrictive.
For example, the below entry is an Allow List for First-Time Sender that has a “None” criteria meaning it will match on every new message received and never allow another First-Time Sender threat category. With First-Time Sender completely disabled this would be seen as a very permissive allow list entry that these new warnings are meant to highlight to admins.
...
Burst Detection
Burst Detection will gradually roll out. If you are under a Burst Attack—often referred to as a Spam Bomb, Subscription Attack, Email Bomb, Email Flood Attack, or Email Storm—please reach out to support@inky.com to have this feature enabled specifically for your team or organization.
INKY introduces Burst Detection, a powerful new feature to help administrators detect and respond to sudden surges in email volume targeting specific recipients over a short period. These bursts can be part of a strategy to overwhelm or distract users, often paired with unsolicited tech support calls or other suspicious offers to help “resolve” the issue.
Configuration can be found on: https://app.inkyphishfence.com/settings/analysis
Learn more here: Burst Detection
| Info |
|---|
You can configure Burst Detection at either the team level or the organization level to apply consistent detection parameters across all teams. Any team-level setting will override the organization-level values. |
With the new Burst Detection feature, administrators can configure:
Burst Interval (seconds)
Define a time window — for example, 300 seconds — within which to measure a surge in email volume.Message Threshold
Set the minimum number of messages (e.g., 20) needed to trigger detection of a burst in that time interval.Burst Mode Cache Duration (seconds)
Keep a recipient in “burst mode” for a set duration after the initial burst detection to ensure continued protection, even if the volume temporarily dips.Ignore Senders/Recipients for Burst Detection
Specify email addresses or domains that should never trigger or be flagged as part of a burst (useful for high-volume internal senders or privileged services).Result Bucket
Choose the category (e.g., “Caution (Spam)”) that INKY assigns when a message is detected as part of a burst.Delivery Target
Override the delivery action (e.g., route to “Junk Folder”) for burst-detected messages.Exclude Internal or Trusted 3rd Party Messages
Automatically skip internal or trusted third-party messages from burst calculations.Exclude Known External Messages
Similarly, skip known external, trusted contacts from contributing to burst detection.
...
How It Works
When a sudden surge in email volume meets or exceeds the specified “Message Threshold” within the configured “Burst Interval,” the target recipient is immediately considered in “burst mode.” Messages are flagged under the “Suspicious Mail Burst” threat category, and INKY will apply the configured result bucket and delivery target for the duration of the “Burst Mode Cache.”
Use Burst Detection to protect against potential social engineering attacks that rely on message spamming, or to stay alert when a specific user suddenly becomes a high-volume email target.
For more information on setting up or fine-tuning Burst Detection, refer to your INKY documentation or contact your INKY support representative.
| Status | ||
|---|---|---|
|
Found within the Dashboard Widget Filter Editor under Analysis → Brand Impersonation is a new capability to filter messages based on the detected brands domain. Selecting a specific brand’s domain or multiple brand domains will retrieve a list of messages that INKY has identified as Brand Impersonation based on the brand selected.
...
| Status | ||
|---|---|---|
|
With this update, hovering over the From and Reply-To email addresses in a message header will display a popup rendering the address in a mono-font and lowercase. This design improvement helps users quickly identify confusable characters and spot potential phishing attack vectors with greater ease.
...
| Status | ||
|---|---|---|
|
We've added concise, helpful descriptions to some of the less obvious filters in the Filter Editor. For example, the Brand Impersonation Filter now includes guidance on detecting impersonations based on a brand's primary domain. These updates make it easier to understand and configure filters for your security needs.
...