[carodgers]

I don't understand. What combination of actions and app features allowed the scammer to send an email that is indicated to be from google's domain?

[davidscoville]

That's the big question. I've heard attackers have used Google's own tools like Google forms or Google cloud to send the email through Google's servers so it wasn't flagged. This is a major vulnerability that Google needs to fix. I'm quitting Google because I'm worried about other vulnerabilities like this.