HELPDESK SCRIPT — INKY EMAIL SECURITY

System: INKY
Email Platform: Microsoft Exchange Online

🎯 PURPOSE

  • Reduce user confusion
  • Handle tickets quickly
  • Prevent unsafe clicks
  • Capture tuning feedback

🧠 QUICK TRIAGE (ASK FIRST)

When a user contacts you, ask:

  1. What happened?
    • “Was the email blocked, flagged, or just looked suspicious?”
  2. Who was it from?
    • Internal / vendor / unknown?
  3. What were you trying to do?
    • Open attachment, click link, reply, etc.

🚦 SCENARIO RESPONSES

🟢 1. “Why does this email have a banner?”

User says:

“This email has a warning on it.”

Response:

We recently added advanced email protection. The banner is there to help you quickly identify if something might be risky.

If you trust the sender and were expecting it, it’s usually fine—but avoid clicking links or attachments unless you’re sure.

Action:

  •  No ticket needed unless user unsure
  •  Log only if repeated complaints

🟡 2. “This looks suspicious—should I trust it?”

Response:

Good catch—thanks for checking. Let me verify it.

Steps:

  •  Look up message in INKY Observations
  • Check:
    • Sender domain
    • Links
    • Threat level

Outcome:

If SAFE:

This one is legitimate. The system flagged it cautiously. You’re okay to proceed.

→ [ ] Consider allow-listing domain

If SUSPICIOUS:

This one does look risky—please don’t click anything. We’ll block it across the system.

→ [ ] Block domain
→ [ ] Check if others received it

🔴 3. “An email I need was blocked or flagged incorrectly”

Response:

Thanks for flagging this—let’s fix it right away.

Steps:

  •  Identify sender domain
  •  Confirm legitimacy
  •  Add domain to allow list

User follow-up:

You should now receive future emails normally. Let us know if it happens again.

🚨 4. “I didn’t receive an expected email”

Response:

Let’s track that down—this is a priority.

Steps:

  •  Run message trace in Exchange
  •  Check INKY Observations
  • Determine:
    • Delivered?
    • Quarantined?
    • Blocked?

Outcome:

  • Fix immediately
  • Escalate if unclear

🔗 5. “A link isn’t working”

Response:

That may be due to link protection—let me check.

Steps:

  •  Test link yourself
  •  Check if rewritten
  •  Identify domain

Fix:

  •  Allow list domain if safe

📎 6. “Attachment won’t open”

Response:

Let me verify the file is safe first.

Steps:

  •  Check file type (.zip, .html, etc.)
  •  Check INKY classification

Fix:

  •  Allow if legitimate
  •  Educate user if risky

🚨 ESCALATE IMMEDIATELY IF:

  • Finance/payment emails affected
  • Executive reports missing email
  • Multiple users report same issue
  • Customer/vendor communication impacted

🧠 WHAT TO TELL USERS (CONSISTENT MESSAGE)

Use this wording:

We’ve added advanced email protection to help identify phishing and suspicious messages.

Not every warning means something is malicious—it just means “take a closer look.”

When in doubt, ask us before clicking.

⚡ 5-SECOND DECISION GUIDE (FOR TECHS)

Situation Action
Clearly malicious Block domain
Clearly legitimate Allow domain
Uncertain Leave flagged + monitor
Missing email Trace immediately
Exec/finance issue Escalate