Phish Fence Explained

Who Needs This

All INKY customers use Phish Fence as the foundation of their email security. It's included in Standard, Professional, and Advanced bundles, with enhanced capabilities available in higher tiers. Whether you're protecting 50 users or 50,000, Phish Fence operates continuously in the background, analyzing every message.

What Phish Fence Protects

Phish Fence monitors email in three directions:

Inbound mail arriving from external senders gets analyzed for phishing attempts, malware, domain spoofing, and social engineering. This is where most threats enter your organization.

Internal mail between users in your organization gets scanned to detect compromised accounts, insider threats, and lateral phishing attacks. If an attacker gains access to one account, Phish Fence prevents them from spreading further.

When users forward or reply to emails, INKY automatically removes the Email Assistant banner before sending. This prevents external recipients from seeing your internal security warnings and, more importantly, allows Phish Fence to rescan the forwarded message for internal mail protection. If someone forwards a phishing email internally, Phish Fence analyzes it fresh and applies appropriate warnings for the recipient.

Outbound mail sent to external recipients gets checked for phishing content to protect your organization's reputation and prevent your users from unknowingly forwarding threats. This is separate from DLP (Data Loss Prevention) features—Phish Fence focuses specifically on detecting malicious content, not sensitive data.

How Phish Fence Works

Phish Fence uses a layered detection approach, analyzing each email through multiple security engines simultaneously. Think of it as multiple expert security analysts examining the same email from different angles.

Layer 1: Email Fundamentals

Phish Fence starts by extracting and indexing core email information—headers, sender details, routing data, and metadata. This foundation enables all subsequent analysis.

Indexing and information retrieval processes the technical structure of each email, parsing headers to identify the true sender, routing path, and authentication results. This reveals when emails are spoofed or improperly configured.

Sender authentication validation checks SPF, DKIM, and DMARC records to verify the email actually came from the claimed domain. Failed authentication is a red flag that triggers deeper analysis.

Layer 2: Visual and Content Analysis

Once Phish Fence understands the email's structure, it analyzes what the email looks like and what it contains.

Computer vision examines the visual layout and design of emails to detect brand impersonation, fake login pages, and hidden content. Attackers often create pixel-perfect copies of legitimate company emails—computer vision catches these by comparing visual elements against known legitimate designs.

Structural content analysis looks at how the email is formatted and organized. Attackers hide malicious links in images, use invisible text, or manipulate HTML to evade traditional security. Phish Fence deconstructs the email structure to expose these hidden threats.

Layer 3: Threat Detection Engines

With the email's structure and visual content understood, Phish Fence activates specialized detection engines.

AI-based phishing detection uses machine learning models trained on millions of known phishing attacks to identify patterns, tactics, and techniques attackers use. This catches variations of known threats and identifies new attacks that follow familiar patterns.

Domain lookalike detection identifies spoofed domains that visually resemble legitimate ones—like "rn" instead of "m" (rnicrosoft.com vs microsoft.com) or alternate TLDs (paypal-security.net vs paypal.com). Attackers register these domains specifically to fool users.

Conversation hijack detection identifies when attackers insert themselves into existing email threads. This sophisticated attack method involves compromising one account, monitoring conversations, then injecting malicious replies that appear to continue the legitimate discussion.

Layer 4: Link and Attachment Analysis

Links and attachments are the two primary attack vectors in phishing emails. Phish Fence analyzes both in real-time.

URL time-of-click protection rewrites links to route through INKY's analysis system. When a user clicks a link, Phish Fence checks the destination URL in real-time, following redirect chains and analyzing the final landing page. This catches threats that activate after the email passes initial security checks.

QR code detection scans images for embedded QR codes, decodes them, and analyzes the destination URLs. Attackers increasingly use QR codes because traditional security tools can't read them—Phish Fence can.

Geo-blocking checks if links point to suspicious geographic locations known for hosting phishing sites or malware. Links to certain high-risk countries can trigger warnings or blocks based on your policy.

Signature-based attachment analysis compares file hashes against databases of known malware. This catches established threats quickly.

Attachment URL and content analysis examines files for embedded links, macros, and suspicious code. Attackers hide malicious URLs inside PDF files, Office documents, and other attachments—Phish Fence extracts and analyzes these.

Zero-day malware analysis (Professional and Advanced only) uses sandboxing to safely execute suspicious attachments in an isolated environment. This detects brand-new malware that has never been seen before, catching threats that signature-based detection misses.

Layer 5: Intent and Behavioral Analysis

The most sophisticated layer analyzes what the attacker is trying to accomplish.

INKY GenAI intent analysis (Professional and Advanced only) uses generative AI to understand the meaning and intent behind email content. Rather than just matching keywords, GenAI comprehends context—identifying ultimatums, credential requests, payment demands, and social engineering tactics even when phrased in subtle or unusual ways.

GenAI assigns intent labels like Ultimatum, Credential Request, Payment Request, Service Disruption, Support Line, Cold Email, Link-Heavy, and Nudge. These intent labels appear in the administrator dashboard for threat analysis and help administrators understand attack patterns and refine policies. The GenAI intent detection drives the threat categories that users see in their INKY Email Assistant banners, giving users actionable information without overwhelming them with technical details.

Advanced graymail detection (Professional and Advanced only) identifies bulk, promotional, and unwanted email that isn't quite spam but clutters inboxes. Phish Fence learns your organization's patterns to distinguish legitimate newsletters from suspicious mass mailings.

Dangerous reply detection (Advanced only) analyzes outbound replies to check if users are responding to phishing emails. If someone clicks "Reply" to a threat that slipped through, this feature catches it before the user sends credentials, financial information, or other sensitive data to attackers.

How Phish Fence Categorizes Threats

After analyzing an email through all detection layers, Phish Fence assigns threat categories based on what it detected. These categories determine the color and severity of the INKY Email Assistant banner that users see—whether the email gets blocked, delivered with a warning, or passed through with informational context.

Red banners (Danger) mark highly dangerous emails that pose immediate threats. These are confirmed or highly likely phishing attacks, malware, or fraud attempts. Red banners come in two levels:

• Danger (Phish or Malware) - Dangerous threats that may include spam-related indicators, but other threat indicators are significant enough to classify as dangerous

• Danger (High Confidence Phish or Malware) - Messages matching exact known threat profiles that have been previously reported or confirmed malicious

Threat categories triggering red banners include Known Phishing Campaigns, Malware Detected, Severe Authentication Failures, Confirmed CEO Fraud, Links to Known Malicious Websites, and suspicious QR Codes from unknown senders.

Yellow banners (Caution) indicate suspicious emails that aren't confirmed threats but show warning signs requiring user judgment. Yellow banners also come in multiple levels:

• Caution (Non Spam) - Suspicious indicators unrelated to spam content

• Caution (Spam) - Messages containing spam-related threat details

• Caution (High Confidence Spam) - Known or very likely spam content with other possible threat details

Threat categories triggering yellow banners include First-Time Sender, Display Name Spoofing, Lookalike Domains, Suspicious Links, Graymail (bulk/promotional email), Spam Content, Urgency Language, Unusual Requests, Sender Authentication Issues, and GenAI-detected intent patterns (Professional/Advanced bundles).

Blue banners (Known External) identify authenticated external senders that your organization has designated as trusted business contacts. These senders are on your Known External Sender list, have passed authentication checks, and are recognized as frequent legitimate business partners.

Gray banners (Neutral) provide context about external senders without indicating security threats. These are informational markers showing the email came from outside your organization but passed all security checks.

Administrators configure policies to control how INKY responds to different threat categories. You can set some categories to block automatically, others to deliver with warnings, and others to pass through with informational context. This flexibility lets you balance security and usability for your organization's specific needs.

Phish Fence in Action: Real-World Examples

CEO impersonation attack: An attacker spoofs your CEO's display name and sends an "urgent wire transfer" email to accounting. Phish Fence detects the mismatch between the display name and actual sender domain, identifies the urgency language, and notes this external sender is impersonating an internal executive. The email gets delivered with a red Danger banner showing threat categories: "Possible Spoofed Internal Sender" and "Suspicious Link." GenAI (Pro/Advanced) identifies this as an Ultimatum intent in the admin dashboard.

Compromised vendor account: Your regular office supply vendor's email gets hacked. The attacker sends an invoice with an updated bank routing number. Phish Fence notices the email passes authentication (it's from the real vendor domain) but contains unusual payment urgency and links to a suspicious file-sharing site. Yellow Caution banner warns accounting with threat categories: "Suspicious Link" and "First-Time Sender" (if this specific person never emailed before). Users verify before paying.

Zero-day attachment: A user receives a resume attachment that contains brand-new malware never seen before. Signature-based detection finds nothing suspicious. Zero-day malware analysis (Pro/Advanced) executes the file in a sandbox, observes it attempting to download additional malicious payloads, and blocks the email with a red Danger (High Confidence Phish or Malware) banner showing "Malware Detected."

QR code phishing: An attacker sends a fake Microsoft 365 password reset notification with a QR code. Traditional security tools see it as just an image. Phish Fence decodes the QR code, follows the URL to a fake Microsoft login page, and identifies it as a credential theft attempt. Red Danger banner blocks the message with threat categories: "QR Code" and "Known Phishing Campaign."

Conversation hijacking: An attacker compromises a supplier's email, monitors an ongoing conversation about a project, then injects a message asking for payment to a new bank account. Conversation hijack detection notices the subtle shift in tone, unusual payment request mid-thread, and different sending IP address despite passing authentication. Yellow Caution banner alerts your team with "Suspicious Link" and prompts verification through a different channel.

Graymail management: A user receives their daily promotional email from a retailer they subscribed to years ago but no longer wants. Phish Fence identifies this as legitimate bulk content and delivers it with a yellow Caution banner showing "Graymail." The user clicks the Quick Action Link to report it as Graymail, adding the sender to their personal block list so future messages route to their Graymail folder or junk.

Configuration and Policy Management

Phish Fence requires minimal configuration to start protecting your organization—it works out of the box with intelligent defaults. However, administrators can tune detection sensitivity and customize responses.

Learning mode runs for the first 7-14 days, observing your email patterns without blocking messages. This builds baseline profiles for your organization's legitimate senders, communication patterns, and typical email content. After learning mode, Phish Fence enforces policies with higher confidence and fewer false positives.

Policy configuration determines how INKY responds to different threat categories. You can configure specific actions for each category—block immediately, deliver with red banner, deliver with yellow banner, or allow through. Most organizations use default settings, adjusting only after understanding their specific risk tolerance and user needs.

Block and allow lists override Phish Fence's automated decisions. Add trusted senders to allow lists to ensure their emails never get blocked. Add known malicious domains to block lists for immediate rejection. Use these sparingly—Phish Fence's detection is usually more accurate than manual lists.

Advanced Block List (Professional and Advanced) provides more sophisticated blocking capabilities, including regex patterns, bulk domain blocking, and temporary time-based rules.

Bundle-Specific Capabilities

All INKY bundles include Phish Fence's core protection—AI-based detection, computer vision, domain lookalike detection, conversation hijack detection, QR code scanning, URL protection, geo-blocking, spam filtering, and signature-based attachment analysis.

Professional and Advanced add:

• Zero-day malware analysis

• Advanced graymail detection

• INKY GenAI intent analysis

• Enhanced threat intelligence

Advanced exclusively adds:

• Dangerous reply detection (outbound phishing protection)

• Integration with DLP and custom outbound rules

Performance and Scalability

Phish Fence processes email in real-time with minimal latency—typically adding less than 1-2 seconds to email delivery. This near-instantaneous analysis happens because multiple detection engines run in parallel, not sequentially.

The system scales automatically to handle email volume spikes, ensuring consistent protection during high-traffic periods. Whether your organization sends 1,000 or 1,000,000 emails daily, Phish Fence maintains the same analysis depth for every message.