Question
Why do targets (users) see a red or yellow warning banner when a Phishing email arrives in the target's Inbox?
Answer
Some GSuite users may see the following alerts when they receive Phishing emails. Although you may have Safelisted the Phishing mail server IP addresses in GSuite, you will also have to add the Phishing IP addresses as Inbound Gateways.
- Log in to the Google Admin Console
- Select the Apps icon
- Click on the GSuite app icon
- Click on the Gmail icon (the red M)
- Scroll to the bottom of the page and click Advanced Settings
- Select the organization's domain in the left column under General Settings
- Scroll down to the Spam section and locate Inbound gateway.
- Click the CONFIGURE button to the right of the page.
- Click Edit.
- On the Inbound gateway page, add the IPs to the IP addresses / ranges setting. (See Safelisting Guide for a list of IP addresses)
- Make sure Require TLS for connections from email gateways listed above is checked.
- Under Message Tagging, enter text for the Spam Header with a random string of unique characters in the Regexp field (Optional)
- i.e. gsdghthryjjdfjfjdhj.
- Make sure the radial button Message is spam if regexp matches is selected.(Optional)
- Check the box for Disable Gmail spam evaluation on mail from this gateway; only use header value. (Optional)
- Click Save