Question

Why do targets (users) see a red or yellow warning banner when a phishing email arrives in the target's Gmail Inbox?

Answer

Some G Suite users may see the following alerts when they receive emails from Phishing. After you Safelist your phishing mail gateways in G Suite, you will also have to add the Phishing IP addresses as Inbound Gateways.

1. Log in to the Google Admin Console
2. Select the Apps icon
3. Click on the G Suite app icon
4. Click on the Gmail icon (the red M)
5. Scroll to the bottom of the page and click Advanced Settings
6. Select the organization's domain in the left column under General Settings
7. Scroll down to the Spam section and locate Inbound gateway.
8. Click the CONFIGURE button to the right of the page.
9. Click Edit.
10. On the Inbound gateway page, add the Phishing Simulation IPs to the IP addresses / ranges setting.

See Safelisting Guide  for a list of IP addresses.

1. Make sure Require TLS for connections from email gateways listed above is checked
2. Under Message Tagging, enter text for the Spam Header with a random string of unique characters in the Regexp field (Optional)
   • i.e. gsdghthryjjdfjfjdhj.
3. Make sure the radial button Message is spam if regexp matches is selected.(Optional)
4. Check the box for Disable Gmail spam evaluation on mail from this gateway; only use header value.(Optional)
5. Click Save.

Allow up to 24 hours for the configuration changes to propagate.