Phishers abuse Google OAuth to spoof Google in DKIM replay attack
Almost everything looked legitimate and Google even placed it with other legitimate security alerts, which would likely trick less technical users that don’t know where to look for the signs of fraud.