SWe have been evaluating a service called INKY, to step up our phish protection for customers.
Wait. Phish protection. I thought we already solved that problem.
Not entirely. Three facts about information security remain true.
- Most network breaches occur due to compromised account credentials (usernames and passwords).
- Users will sometimes disclose their account credentials via a phishing enticement.
- The number-one vehicle for phishing enticements is… email.
But then, you knew that.
You need phish protection. You may need more than one layer of phish protection. That is where INKY comes in.
If You Are Using Microsoft, Keep Doing That
If you are an Office 365/Microsoft 365 subscriber, you have heard us advocate for two security features: Safe Links and Safe Attachments. These are part of Microsoft Defender for Endpoint, as part of Azure Information Protection Plan 2. Ya, never mind.
Safe Links “wraps” any URL found in an email, such that if the user clicks on the link, it is first “detonated” in a sandbox and the user is told if the link is malicious or not. Safe Attachments does the same thing for email attachments.
These security features are great. You should enable them if you have not done so already. We have written about this before.
The Phish Protection Case for INKY
So, why bother with INKY? We like INKY for these reasons.
- INKY is fast. Really fast. Have you ever noticed an email notification come in on your phone, and then follow on your computer a minute or so later? That delay happens because Microsoft Defender is analyzing the URLs and attachments associated with the message. It is not a huge deal, unless your boss is someone who sees the delay and complains to you that the email server must be broken. (And, if you continue to run Defender, as we recommend, you will continue to see this email delivery delay.)
- INKY judges the safety of an email by looking at all the emails it has seen across all its customers. I have talked about taking advantage of this “big data” phish protection effect before. INKY has the dirt on this email. They have seen where else it has been delivered, what other people have said about it, and so on. INKY does not rely just on your organization’s mailbox to judge the safety of the email.
- INKY uses some AI-ish techniques to judge the safety of an email. Has the domain been impersonated before? Are there words or phrases commonly found in phishing and scam messages? What is the pattern of who the message has been delivered to?
- INKY has a nice phishing awareness and education component. INKY, like Microsoft Defender, displays a banner to indicate that a message is not safe (it color-codes the banner depending on how sure Inky is that the message is unsafe.) In the banner message, INKY gives you some information about why it considers the email problematic. And (the cool part) it links to information that tells the user what is happening and why that might be a problem.
Now, remember that phishing awareness and education still matter. You do not want to rely on users following a link in a message to learn about phishing techniques. That said, it is nice to illustrate the principle using a real-world example the user has just seen.
You can use INKY as configured, no problem. But you will want to fine-tune the service to eliminate as many dangerous emails as possible from even getting to a user’s mailbox. There are several filters and rules you can set to do this. You can set some rules and then scan your existing mail content. This lets you see if the rules are working the way you intended.
We are working with a customer now who is going through this process. Results are promising so far.
Want to try INKY out? Let me know and I can make it happen. At least, go to the INKY website so you can see the hip octopus that is part of their logo.