Understanding INKY Basics

Reference guide covering how INKY detects threats, what warning banners mean, bundle differences, and core concepts.

Written By Matt Sywulak

Last updated About 2 months ago

How INKY Detects Threats

INKY uses multiple AI-powered detection engines working together to catch sophisticated email threats:

Computer Vision AI

What it does: Actually sees and analyzes email visual elements like a human would

Catches:

  • Fake brand logos (slight variations from real logos)

  • Spoofed email designs (mimicking legitimate senders)

  • Visual impersonation (looks like Microsoft but isn't)

  • QR code phishing (visual analysis of QR content)

  • Screenshot-based attacks (text embedded in images)

Why it matters: Text-based email security can't see visual brand forgery. Computer vision catches threats other systems miss completely.

Example: An email claims to be from "Microsoft Security Team" with a perfect-looking Microsoft logo. Text analysis sees correct spelling. Computer vision sees the logo is slightly off-brand and flags it.

Generative AI (Professional/Advanced Bundles)

What it does: Understands email intent and detects AI-generated phishing attacks

Catches:

  • Ultimatum tactics ("Act now or account closes")

  • Credential harvesting requests

  • Payment fraud attempts

  • Service disruption threats

  • AI-generated phishing (GPT-powered attacks)

  • Cold reengagement scams

Why it matters: AI-generated phishing attacks increased 1,265% in 2024. Traditional pattern matching can't catch novel AI-written phishing.

Example: An AI-generated email perfectly mimics your CEO's writing style asking for an urgent wire transfer. GenAI detects the manipulative intent even though text is flawless.

Included at no extra cost: INKY Professional includes GenAI. Competitors charge premium tiers for AI features.

Behavioral Analysis

What it does: Spots anomalies in sender behavior and communication patterns

Catches:

  • Display name spoofing (name looks right, email wrong)

  • Domain lookalikes (paypa1.com instead of paypal.com)

  • Unusual sender patterns (CEO emailing from personal account)

  • Social engineering tactics (urgency, fear, authority)

  • Account takeover indicators (legitimate account behaving strangely)

Why it matters: Sophisticated attackers research targets and craft believable emails. Behavioral analysis spots subtle "something's not quite right" signals.

Example: Email appears from your CFO with correct display name, but email address is slightly different. Behavioral analysis flags the mismatch.

Link Analysis

What it does: Examines URLs in real-time at time-of-click

Catches:

  • Malicious link destinations

  • URL redirector chains (link goes through 5 redirects to hide destination)

  • QR code phishing (scans QR codes, checks destination)

  • Newly registered domains (fresh domains used for attacks)

  • Link reputation changes (legitimate link compromised after email sent)

Why it matters: Attackers use link obfuscation to hide malicious destinations. Time-of-click analysis catches threats that were safe when email sent.

Example: Email contains link that looks legitimate. By time user clicks it 2 hours later, the destination changed to phishing site. INKY catches it at click time.

Sender Authentication

What it does: Validates technical sender authentication (SPF, DKIM, DMARC)

Catches:

  • Domain spoofing (sender claims to be from domain they don't control)

  • Failed authentication (email fails SPF/DKIM/DMARC checks)

  • DMARC policy violations

  • Lookalike domains pretending to be legitimate

Why it matters: Many phishing attacks fail basic authentication. This catches low-sophistication attacks quickly.

Example: Email claims to be from "paypal.com" but SPF record shows it came from unrelated server. Sender authentication flags it immediately.

DMARC Monitoring (Professional/Advanced): INKY can also monitor your own domain's DMARC reports to protect your brand from being spoofed.

Content Analysis

What it does: Analyzes email text for suspicious patterns and keywords

Catches:

  • Urgency language ("immediate action required")

  • Suspicious keywords (password reset, verify account, confirm payment)

  • Unusual requests (gift cards, wire transfers, credentials)

  • Credential harvesting forms

  • Malware attachments

Why it matters: While not as sophisticated as GenAI, content analysis provides fast first-pass detection.

Example: Email contains phrases like "urgent wire transfer needed" and "don't tell anyone." Content analysis flags the social engineering attempt.

Social Graphing

What it does: Maps your organization's email communication patterns

Catches:

  • First-time senders who aren't in your normal network

  • Unusual communication paths (why is vendor emailing employee directly?)

  • Relationship anomalies

Why it matters: Prevents banner fatigue during learning mode by understanding legitimate communication patterns.

Example: INKY learns your sales team regularly emails certain customers. Those customers won't trigger "first-time sender" warnings after learning.

Warning Banner System

Overview

INKY adds visual warning banners to emails when threats or informational flags are detected. Banners appear on BOTH internal and external emails and include tags indicating whether the email came from inside or outside your organization.

Banner components:

  • Color - Indicates threat level (gray/yellow/red) or trust status (blue)

  • Tag - Shows "Internal" or "External" to indicate email origin

  • Message - Explains specific concerns in plain language

Philosophy: Transparent AI. Users see exactly what was caught and why, building trust and security awareness.

Languages: Banners available in 35 languages.

Blue Banner: Known External

When it appears: Email from recognized/trusted external sender

Tag: "External"

Message examples:

  • "Known External Sender"

Meaning: This sender is from outside your organization but is recognized and trusted in your network.

User action: No action needed. Purely informational awareness that email is external but trusted.

Frequency: Common on external business communication with regular partners/vendors

Purpose:

  • Differentiate trusted external from internal email

  • Build awareness without alarm

  • Indicate sender is in known network

Note: Blue is the ONLY banner that doesn't include neutral/caution/danger color coding—it's specifically for known/trusted external senders. However, users should still exercise a normal level of caution.

Gray Banner: Neutral

When it appears: Email has neutral/informational flags but no suspicious or dangerous indicators

Tag: "Internal" or "External"

Meaning: INKY wants you to be aware of this email's origin or context but found no threats.

User action:

  • Review context (do you know this sender?)

  • No action needed if expected

  • Safe to interact with if communication makes sense

  • Report if unexpected despite no warnings

Purpose:

  • Differentiate internal from external communication

  • Indicate sender is not yet in known network (for external)

  • Provide awareness without alarm

  • Allow legitimate new contacts

Note: Gray is neutral—not dangerous, not suspicious, just informational. Think of it as "FYI" level awareness.

Yellow Banner: Caution

When it appears: Email has suspicious indicators OR is bulk/promotional content (graymail)

Tag: "Internal" or "External"

Meaning: INKY found concerning indicators. Proceed carefully, verify if unexpected.

User action:

  • Read the specific warning explanation

  • For graymail: No action if wanted, unsubscribe if unwanted

  • For suspicious indicators: Verify sender through separate channel if request is unexpected

  • Avoid clicking links or downloading attachments until verified

  • Report if you believe it's phishing

  • Proceed cautiously if you're confident it's legitimate

Purpose:

  • Empower users to make informed decisions

  • Provide specific context (not generic "be careful")

  • Flag bulk/promotional content for inbox management

  • Allow legitimate-but-unusual emails while warning users

  • Catch potential account compromises (internal senders behaving oddly)

Not a block: Yellow emails are delivered. Users decide whether to interact.

Note on Internal yellow banners: Yes, internal emails can get yellow banners—compromised accounts, unusual behavior, or suspicious links from internal senders are real threats.

Note on Graymail: Graymail is a specific threat category for legitimate bulk/promotional email (newsletters, marketing). It appears as a yellow caution banner to help users identify low-priority mail, not because it's dangerous.

Red Banner: Danger

When it appears: Email is highly dangerous or definitively malicious

Tag: "Internal" or "External"

Meaning: This email is dangerous. Do not interact with it.

User action:

  • DO NOT click any links

  • DO NOT download attachments

  • DO NOT reply

  • Report to IT immediately

  • Delete (or IT will quarantine)

Frequency: Less than 1% of emails

Purpose:

  • Prevent interaction with confirmed threats

  • Clearly communicate danger level

  • Protect users from obvious malicious content

  • Alert to compromised internal accounts

Often quarantined: Many red banner emails are automatically quarantined and never reach inbox. If user sees red banner, it means IT chose to deliver with warning rather than block (or it's being monitored).

Note on Internal red banners: Compromised internal accounts are serious threats. Red banners on internal emails indicate the account is likely compromised and sending malicious content.

Banner Customization

Administrators can customize banner appearance and messaging:

Customization options:

  • Banner text and messaging on specific threat categories

  • Company logo/branding

  • Language (35 languages available)

  • Which banner types appear

Common customizations:

  • Add company security team contact to banners

  • Translate to local languages

Core Concepts

Inline vs. API Deployment

Inline (INKY's approach):

  • Processes email before delivery to inbox

  • Pre-delivery prevention

  • Threats never reach inbox

  • Requires mail flow routing configuration

  • No MX changes needed (INKY-specific advantage)

API (competitors like Abnormal, Sublime):

  • Connects via API after email delivered

  • Post-delivery detection

  • Threats reach inbox, then remediated

  • Faster deployment (just API connection)

  • Exposure window during arming attacks

INKY advantage: Inline protection without MX changes gives pre-delivery protection with fast deployment.

Time-of-Click Protection

Links in email are rewritten to route through INKY's safe analysis service. When user clicks:

  1. INKY analyzes destination in real-time

  2. Checks link reputation (may have changed since email sent)

  3. Scans for malware, phishing indicators

  4. Either allows or blocks with warning

Why it matters: Threats evolve. Link safe at email time may be malicious at click time.

Quarantine vs. Deliver with Banner

Quarantine:

  • Email held, not delivered to inbox

  • User can request release if needed

  • Used for high-confidence threats

Deliver with banner:

  • Email delivered with warning banner

  • User sees threat explanation

  • User decides whether to interact

  • Used for borderline cases

Philosophy: Empower users when possible, protect aggressively when necessary.

False Positives

What they are: Legitimate emails incorrectly flagged as threats

Impact: User frustration, loss of trust in system, possible missed business communication

How INKY minimizes:

  • Learning mode reduces first-time sender alerts

  • Allow lists exclude trusted senders

  • Behavioral analysis considers relationship history

  • User reports improve accuracy

When they occur: Tune allow list, report as false positive, INKY learns

Technical Details

Processing Time

Typical: Under 2 seconds per message
Complex analysis (attachments, multiple links): 2-5 seconds
User perception: No noticeable delay

Supported Platforms

Microsoft 365 (Office 365)

Google Workspace (G Suite)

Both platforms: Full feature parity

Deployment Architecture

No MX changes required:

  • INKY deploys behind existing mail infrastructure

  • No single point of failure

  • Business continuity maintained

  • Bypass if INKY has issues

Mail flow: Email → Your MX → INKY processing → User inbox

Bottom Line: INKY uses multiple AI detection methods (computer vision, GenAI, behavioral analysis, link analysis, sender authentication) to catch sophisticated email threats. Transparent warning banners explain threats in plain language, building user trust and awareness. Choose Standard for basic protection, Professional for modern AI threats (most popular), or Advanced for complete email security including outbound protection. Deploy in 30 minutes without MX changes across Microsoft 365 or Google Workspace.