TOP 10 INKY FALSE POSITIVES (CHEAT SHEET)

🎯 RULE #1 (FOR ALL BELOW)

👉 Allow by DOMAIN (not individual email)
👉 Verify first—don’t blindly allow

🟢 1. E-Signature Platforms

Common domains:

  • docusign.net
  • docusign.com
  • adobesign.com

Why flagged:

  • External sender + embedded links + urgency language

Helpdesk action:

  •  Confirm user was expecting it
  •  Allow domain if legitimate

🟢 2. Accounting / Finance Platforms

Common domains:

  • intuit.com
  • quickbooks.com
  • bill.com

Why flagged:

  • Payment language + invoice links = phishing-like

Action:

  •  Verify vendor
  •  Allow domain (finance-critical)

🟢 3. Payroll / HR Systems

Common domains:

  • adp.com
  • paychex.com
  • workday.com

Why flagged:

  • Credential prompts + external login links

Action:

  •  Confirm tenant-specific usage
  •  Allow domain

🟢 4. Cloud Storage / File Sharing

Common domains:

  • dropbox.com
  • box.com
  • sharepointonline.com

Why flagged:

  • “You’ve been shared a file” = classic phishing pattern

Action:

  •  Confirm sender
  •  Allow domain (very common)

🟢 5. Ticketing / Support Systems

Common domains:

  • zendesk.com
  • freshservice.com
  • servicenow.com

Why flagged:

  • Automated emails + links + external domain

Action:

  •  Confirm internal system integration
  •  Allow domain

🟢 6. Marketing / Bulk Email Platforms

Common domains:

  • mailchimp.com
  • sendgrid.net
  • hubspotemail.net

Why flagged:

  • Bulk send + tracking links

Action:

  •  Verify legitimate sender
  •  Allow selectively (not blanket all marketing)

🟢 7. Banking / Payment Notifications

Common domains:

  • chase.com
  • bankofamerica.com
  • stripe.com

Why flagged:

  • Financial urgency + links

Action:

  •  DOUBLE verify (high risk spoof target)
  •  Allow only after confirmation

🟢 8. Shipping / Logistics

Common domains:

  • ups.com
  • fedex.com
  • usps.com

Why flagged:

  • “Package delivery” = top phishing theme

Action:

  •  Confirm user expecting shipment
  •  Allow domain cautiously

🟢 9. Internal Systems (Big One for You)

Examples:

  • SAP notifications
  • Monitoring tools (SolarWinds, Nagios, etc.)
  • Backup alerts

Why flagged:

  • Automated + HTML-heavy + sometimes spoof-like

Action:

  •  Identify sending domain/IP
  •  Allow domain immediately

👉 This is #1 enterprise false positive source

🟢 10. Calendar / Meeting Systems

Common domains:

  • zoom.us
  • teams.microsoft.com
  • webex.com

Why flagged:

  • External invites + embedded join links

Action:

  •  Allow domain
  •  Very common + low risk if verified

🚨 RED FLAGS (DO NOT AUTO-ALLOW)

Even if it looks like the above, DO NOT allow if:

  • Domain is slightly off:
    • docusign-secure.net
    • paypaI.com (capital i)
  • User wasn’t expecting it
  • Urgency + payment request
  • New sender + finance-related

👉 These are real phishing attempts

⚡ HELPDESK QUICK DECISION TABLE

Situation Action
Known vendor + expected Allow domain
Known vendor + unexpected Verify first
Slightly misspelled domain BLOCK
Finance-related + unusual ESCALATE
Internal system flagged Allow domain

🧠 PRO TIP (HIGH VALUE)

Build your “early allow list” BEFORE pilot expansion:

Start with:

  • Finance platforms
  • HR/payroll
  • Internal systems
  • Ticketing

👉 This eliminates 80% of false positives upfront