One problem I have with the current 2FA on Google Apps is that there is no way to enforce 2FA for all users before everyone sets up their mobile device. If you've set the requirement for all to have 2FA, then new users can never log in.
You're then left in this limbo of some with/some without 2FA, and unless you actively pursue those without it setup, you can never change that system wide setting in the control panel.
This is a serious problem, but they do have a workaround. You put new users in an "exception group" that doesn't require two factor auth. Then after they set them up you take them out of the group. It's better than nothing:
It would have stopped someone from using a phished GApps credential from logging in to Google using it, though.
It sounds like one prong of the attack was to gain access to one employee's email, then use that account to send phishing emails to other employees. 2FA would have stopped that.
You're completely right. I was too focused on the fact that 2FA doesn't text you every time you log in, meaning a 2FA user wouldn't find a google login prompt without a text code requirement abnormal. They couldn't login from their own machines - that's the whole point! Silly me.
The attacker (most likely) wouldn't know the phone number, so the user would have to recognize that the text prompt isn't displaying the last 4 digits of their phone number like it usually does. Then again, if you're already oblivious to the fact you're not on an official google login form, it's completely possible to miss that as well.
You're then left in this limbo of some with/some without 2FA, and unless you actively pursue those without it setup, you can never change that system wide setting in the control panel.