What do the different color banners mean?
A gray banner indicates that INKY Phish Fence did not find anything unusual or suspicious about the message. Even though the message was not classified as threatening, you should always check the displayed sender address and the source type to be sure it makes sense (e.g., an external webmail address for a message from a colleague may be cause for concern).
A yellow banner indicates that INKY Phish Fence found something unusual about the email message. It is not necessarily phishing or dangerous but something you should be aware of. For example, a request for sensitive personal information should be given extra scrutiny. Mail that seems out of the ordinary or like it may be spam may receive a yellow banner.
A red banner indicates that INKY Phish Fence thinks the message is suspicious and likely to be phishing or dangerous in some other way. This includes brand impersonations (e.g., a fake “account alert” email from your IT department), blocked phishing URLs, or attempts to spoof mail to look like it came from an internal company account.
See the INKY Banner Guide.
What should I do if I receive an email with a yellow banner?
Look carefully at who the mail is from and whether it is from someone you trust. Be especially careful about clicking any links in the body of the email or opening any attachments.
What should I do if I receive an email with a red banner? Why did I receive it if it’s considered dangerous?
In most cases, you can simply delete the message and move on. In many INKY Phish Fence deployments, your IT staff, security team, or email administrator will configure your mail server to quarantine or delete “red-flagged” mail before it reaches your mailbox. In other cases, the mail will still be delivered with the banner telling you to be careful.
What does the “Report This Email” link do? How do I provide feedback on INKY's analysis?
From each banner type, you may actively help identify and report spam and phishing attempts in order for INKY to learn to flag these in the future, and to continually grow smarter.
If you think INKY has made a wrong classification, or if you just want to confirm that Inky got it correct, click the Report This Email link found in the bottom right corner of each banner. This will take you to a web form where you can indicate that the message is truly Safe, Spam, or Phishing. You can also provide a comment describing your assessment. This feedback is used to automatically improve INKY’s predictions in the future. Your submissions are also manually reviewed to improve the overall system and ensure Inky provides the most accurate security possible.
If you or an end-user clicks on a suspicious link within an email, INKY will provide a screenshot of the webpage tied to that link, and a description of why the link was categorized as malicious. From here, you will be able to either proceed or not to the webpage (admin settings may vary).
Why do I see an INKY Phish Fence page when I click a link in an email?
Part of INKY’s protection is the ability to perform real-time checks on any links you click. If this feature is enabled, clicking on links in a yellow or red banner email will take you to a page reiterating that INKY found the message to be unusual or suspicious. In some cases, a message that originally only had a grey banner contains a link that is later detected as a dangerous phishing URL. In that case, when you click the link, INKY’s real-time check will detect you clicked on a bad link, and you’ll be met with a blocker page alerting you of that fact.
How does Inky handle password protected files?
When a password-protected file is received, INKY is unable to analyze the contents. This is because the contents are encrypted so there’s no way for INKY to sandbox the file on our end. The actual message contents will be analyzed like any other message. It’s purely an encrypted attachment that cannot be scanned.
As they look to improve the product and include a more granular attachment sandbox, they may implement an option to hold encrypted files/documents for admin review. This can also be done in Office 365 using a transport rule.
Documentation: INKY Encrypted Archives & Documents Documentation. This document can be sent to customers to help resolve any encrypted file issues.
Uninstall or Reinstalling INKY for Office 365 Tenants
Follow the Email Protection Installation Guide in the Barracuda XDR Dashboard. If you have not been granted access to the dashboard, contact your Enablement Team or Account Manager.
Barracuda XDR Dashboard: https://dashboard.skoutsecure.com/
Banners on Emails - Is there a way we could adjust the email filter to detect and add an INKY banner to forwarded emails?
Example: When a user forwards an email that was given a phishing warning banner at the top, the recipient would receive a copy of the email that no longer displays the warning banner.
Result: This is expected behavior. Any time a user sends a message with an INKY banner, it automatically hits our outbound banner stripper. This is for outbound and internal messages. Barracuda XDR can adjust customer settings if the client is on Office 365 or Google Workspace so that messages forwarded internally won’t get sent to our banner stripper.
INKY Delivery Settings
Enabling INKY Delivery Settings gives you the option to customize where certain bannered emails go. INKY provides a recommended setting which can be applied to any environment if you would like Barracuda XDR to enable these settings. If you do not enable Delivery Settings, all emails will go into a user’s inbox. If Delivery Settings are not enabled, Default Mapping is also not enabled and that all emails, no matter the banner (neutral, yellow, red), go to the user's inbox. Reach out to the SOC or your enablement associate if you want these delivery settings enabled.