Scammers can bypass your Google Workspace Safety Checks

A major source of headache for system administrators these days, and has been for some time, is the uptick in phishing messages that fake the sender address so it appears to be from someone within your organization. If you are like me, this is one of the things that keeps you awake at night. Organizations using Google Workspace can take advantage of a safety feature that purports to prevent this from reaching users. You can access its settings from within the admin console under Apps->Gmail->Settings->Safety.

Unfortunately, there are still a ton of legit e-mail servers that don't authenticate, so that safety feature is not going to be very helpful.  However you can enable the checks that detect someone trying to send a message with an employee's e-mail address, your domain (or a variation on it) or even an employee's name.  These are very common attacks, and such checks regularly prevent nefarious messages from reaching our end users.  

The problem is, due to a poorly-planned filter architecture on Google's part, this whole mechanism can be bypassed, allowing a spoofed message to end up in a spam queue that is managed by an end-user.  

Google Workspace Filter Architecture places spam filters and queues ahead of "safety features" such as spoof checks.

As you can see in the diagram above, the spoof checks are effectively circumvented when they are sent to a group.  A moderator will see the message in the group's spam queue, AKA "Pending messages".  If they approve the message, it will then go through the safety checks, but by then the group manager has already seen it, and may act on it.