Best Practices for Creating Exceptions

Summary

When a message or URL is classified by INKY’s real-time assistant in a manner that you’d wish your users aren’t exposed to it may be necessary to create an exception in your INKY Dashboard. Exceptions can be created to suppress specific threat categories or to apply a threat category to a sender in the event of false-negative detection. This article provides guidance on INKY’s recommended best practices to avoid an overly broad allow or block entry that may cause issues with how messages are classified.

Incorrect Banner Classification

False Positive

False-positive detections occur when a message is undesirably classified with a “Danger” or “Caution” banner instead of “Neutral”. Creating an allow list entry will prevent future messages originating from the sender from being undesirably classified.

To create an allow list entry, navigate to the Observations tab in your INKY Dashboard and select the message that was incorrectly classified as dangerous.

Select the “Allow List Actions” tab at the top of the message view.

Open

The allow list actions that are available are dynamic based on the threat categories the message was marked as. In this example, the message was classified as Phishing Content, Sensitive Content, and First-Time Sender. Therefore, the allowed list actions will correspond to the threat categories listed. There will also be a Do Not Warn About ANY Threats option available as this populates on every message.

Open

INKY recommends creating the most specific allow entry possible. You should only create more broad exceptions when you trust the sender and there is a legitimate reason to do so.

Most Specific to Most Broad:

• Senders email address for one specific threat category

• Senders email domain for one specific threat category

• Senders email address for multiple threat categories

• Senders email domain for multiple threat categories

• Do not warn about any threats for the sender's email address

• Do not warn about any threats for the sender's email domain

• Do not warn about any threats for the sender's mail server hostname

• Do not include any <Threat Category> warnings (regardless of the sender or other criteria)

Spoofed Internal Sender

If your organization uses a third-party service that intentionally spoofs any of your internal domains, INKY will classify these messages as a Spoofed Internal Sender. The recommended approach to allow these types of false positives is to create a trusted third-party entry in your INKY Dashboard. Trusted third-party sender entries should only be created for services and/or senders that you trust and have a low risk of becoming comprised. This type of entry will allow the sending server to spoof your domain at any time in the future.

To create a trusted third-party entry from the message itself, navigate to the Observations tab in your INKY Dashboard and select the message that was incorrectly classified as dangerous.

Select the “Policy Actions” tab at the top of the message view.

If the sending server is recognized by INKY, there will be multiple options to create a trusted third-party entry (as shown in the screenshot above). In this specific example, the best option is to choose “Add prnewswire.com as a trusted third-party sender”. Services like PRNewswire, Salesforce, Mailchimp, etc. have multiple IP addresses that they send mail from. This type of entry will ensure that any IP address that exists in the service's SPF record will be recognized as a trusted third-party sender.

Occasionally, you may receive mail from a mail server that intentionally spoofs your domain but isn’t a well-known service. In these cases, you’ll need to create an exception by the IP address. ONLY do so if you trust the mail server and it’s a dedicated instance that has a low risk of becoming compromised.

In the event that the sender is a non-recognized service that uses multiple IP addresses, or the mail server is shared, you can create an entry for the email address itself. This type of entry will allow ANY mail server to spoof a specific email address and should be used with caution.

Spoofed VIP

Messages that are classified as a Spoofed VIP can be bypassed in one of two ways.

1. VIP List Bypass (Recommended)
   Email addresses entered into the VIP list are considered trusted and will bypass the Spoofed VIP check. To create an exception, simply add a new entry with the VIP’s name and their trusted email address. It’s common to have multiple entries for the same display name if that person has multiple external email addresses that they regularly use.

   In this example, matt.smith@polvocapital.onmicrosoft.com and matt.smith@polvocapital.com will bypass Spoofed VIP checks if the sending display name is “Matt Smith”.

2. Allow List Exception
   The allow list bypass is typically used when one email address spoofs many different users on the VIP list. This is common with services like Google Docs that relay notifications using the sender's name, but always originate from the same email address. To create an allow list exception, navigate to the Observations tab and select “Allow List Actions”.

False Negative

False-negative detections occur when a message is incorrectly classified with a “Neutral” banner instead of “Danger” or “Caution”. Creating a blocklist entry will prevent future messages from the sender from being incorrectly classified. In addition to creating a blocklist entry, we recommend reporting the message as “Spam” or “Phish” using the “Report This Email” link in the message. Reporting the message sends feedback to INKY’s data analysis team and will help us mitigate false-negative detections in the future.

To create a blocklist entry, navigate to the Observations tab in your INKY Dashboard and select the message that was incorrectly classified as neutral.

Select the “Block List Actions” tab at the top of the message view.

INKY has four block list options:

• Always mark mail from <Email Address> as Spam Content

• Always mark mail from <Domain> as Spam Content

• Always mark mail from <Email Address> as Phishing Content

• Always mark mail from <Domain> as Phishing Content

When deciding between classifying the message as “Spam Content” or “Phishing Content”, it’s important to take the severity of the message into account. Messages that are simply a nuisance like daily newsletters should be classified as “Spam Content”, while messages that contain malicious content should be classified as “Phishing Content”.

Microsoft 365/Google Workspace Clients Only:

If your account currently has delivery settings enabled under Settings > Delivery, marking the message as Spam Content will classify the message as Caution (High Confidence Spam), and marking the message as Phishing Content will classify the message as Danger (High Confidence Phish or Malware). Future messages from the sender will then route to the destination configured in your delivery settings.

In the example below, Caution (High Confidence Spam) messages will route to the user's junk folder, and Danger (High Confidence Phish or Malware) messages will route to the administrative quarantine.

Link Rewriting Exceptions

If Link Rewriting is enabled on your account, INKY will rewrite all URLs found in the body of your messages. By default, if the message is classified as “Danger”, every link click will present the user with an INKY landing page that explains why the link may be unsafe and a screenshot of the URL’s destination. The user will not be able to proceed to the URL if the following setting is enabled under Settings > Markup > Link Rewriting:

Administrators can allow the false-positive URL detection after the message has been delivered to the user's mailbox and prevent the same URL from being rewritten in the future if the issue persists. Please see the following KB to create an exception and/or allow the URL post-delivery: Link Rewriting | Exceptions

Related Articles

Allow List Block List