Gmail phishing follow-up rule draft

Date: 2026-04-13
Owner: Ops / Uttam
Purpose: Reduce incoming marketing-style phishing and capital-raise spam that is not covered by sender-domain blocking alone.

What the screenshots suggest

The message is external and uses a Brainforge-targeted pitch:

• “Brainforge - Your Growth Zone LLC”
• capital-raising language
• repeated sales framing
• likely a campaign sender rather than a one-off sender-domain problem

This is the kind of mail that is better handled with a mix of:

• Gmail Safety
• Gmail Compliance
• user reporting / investigation tooling

Recommended org-wide baseline

Turn these on at the org level first:

• Gmail Safety → advanced phishing and spoofing protections
• Gmail Safety → link and external image protection
• Gmail Safety → attachment scanning / Security Sandbox where available

Google documents that these protections can be tailored by organizational unit and that messages with suspicious or untrustworthy characteristics can be pushed to Spam with warnings. See:

• Advanced phishing and malware protection

Rule set

1. Review-first quarantine rule for capital-raise pitch language

Location: Gmail Compliance → Content compliance
Scope: Inbound mail only
Action: Quarantine

Match strategy:

• Match on Subject
• Match on Body
• Use a regex / phrase set that catches capital-raise language

Suggested phrases / patterns:

• searching for more capital
• raise
• funding
• investors?
• term sheet
• bridge
• up to 5M
• no hard pulls
• P&L
• personal assets
• working capital

Why quarantine first: Google recommends using quarantine to verify content matches before switching to harsher actions.

2. Review-first quarantine rule for impersonation / brand-pivot mail

Location: Gmail Compliance → Content compliance
Scope: Inbound mail only
Action: Quarantine

Match strategy:

• Subject or Body
• words like Brainforge, Growth Zone, LLC, and similar impersonation variants when paired with external sender metadata

Suggested trigger shape:

• Brainforge + LLC
• Brainforge + capital
• Brainforge + funding
• Brainforge + investor

This is better than a raw block because the same phrase could be used in a legitimate internal thread.

3. Hard block rule for known bad sender infrastructure

Location: Gmail Compliance → Content compliance
Scope: Inbound mail only
Action: Reject after quarantine verification

Approved sender domains already blocked:

• webscalemode.com
• trythecustomers.live
• trydirectmarketinggroup.help
• soluxdesign.agency
• f.lushanotice.com
• leadhubbusiness.com
• btlmi.com
• webymkt.com
• zcsend.in
• repdatallc.com
• activecsllc.com
• leadmarksync.org
• theleads.email
• internetsoft.co
• softstackinsider.com
• geniusmatch.io
• activestaffing.co
• collabraze.com
• gomerge.com
• lsladvisors.com
• techconglobal.com
• engage.affinity.studio

Keep excluded:

• braintrustdata.com
• trustvicinity.com
• leoluna.finance
• default.com

4. Reply-to / header signature rule

Location: Gmail Compliance → Content compliance
Scope: Inbound mail only
Action: Quarantine

Match strategy:

• Full headers
• look for repeated Reply-To domains and campaign headers from the same spam family

This is the next useful layer when sender domains rotate but the infrastructure stays the same.

Confidence / rollout

1. Start with Quarantine.
2. Watch false positives for 7 days.
3. Move stable infrastructure rules to Reject.
4. Keep phrase-based rules on quarantine unless they are clean over multiple cycles.

Notes from Google docs

• Content compliance rules support simple matches, advanced matches, metadata matches, and predefined detectors.
• Gmail can scan message body text and extracted attachment text.
• Compliance rules can Reject, Quarantine, or Deliver with modifications.
• Changes can take up to 24 hours, though they usually land sooner.

References:

• Set up rules for advanced email content filtering
• Enhance rules with predefined detectors
• Advanced phishing and malware protection
• Recommended actions in Alert center