Internal Name Spoofing Detection

INKY strengthens your email defenses with a unified Internal Name Spoofing Detection feature. By combining deep directory ingestion, automated lifecycle visibility, and adaptive threat banners, you’ll reduce false positives while staying ahead of advanced impersonation attempts across your entire organization.

Internal Name Spoofing Detection

What changed:

• Deep Directory Integration: INKY now ingests and indexes the first names, last names, and email addresses of all licensed, enabled mailboxes in your Microsoft 365 Entra or Google Workspace directory.
• Automated User Lifecycle Tracking: Every mailbox user is tracked—when an account is disabled or deleted, its profile stays in the spoofing index for 30 days before automatic removal.
• Adaptive Threat Categories: Internal Name Matches surface with a Caution banner by default to minimize noise; if additional threat indicators (e.g., anomalous sending IP or suspicious attachments) are detected, alerts escalate to Danger.

Why it matters:

• Comprehensive Coverage: Stops attackers who impersonate users, even with common name combinations like “John Smith” or “Emily Johnson.”
• Lifecycle Resilience: Ensures protection during offboarding transitions, preventing blind spots when accounts are disabled or removed.
• Prioritized Triage: Adaptive banners reduce alert fatigue by highlighting only high-risk impersonation attempts for immediate action.

Usage notes:

1. This feature is disabled by default. To enable it, navigate to Analysis → INKY and toggle Enable internal name spoofing checks.
2. You can enable at the team level or at the organization level for global enforcement.
3. Ensure Domain and Directory Access are granted under API Access → INKY before enabling.
4. Lifecycle events sync hourly; disabled accounts are cleared after 30 days.