I had read of this attack back in September[1]. It seems very sophisticated because they spoof a phone number that at first glance is associated with Google, but is really just the “uncanny-valley” Google Assistant service that can check wait times or make reservations on your behalf.

Does Google even offer live-person support if you’re not their Workspace customer?

Also, one other difference is that apparently the attackers may have been using Salesforce to send the emails. Maybe they were using a trial or developer edition? I believe those can send out emails too, but they are very limited. So this must be a very targeted kind of attack. The scary part is that the attacker’s emails pass SPF, DKIM, and DMARC. There’s a technical write-up I found about this aspect of the attack.[2]

[1]: https://sammitrovic.com/infosec/gmail-account-takeover-super...

[2]: https://docs.google.com/document/d/1xrJsRBcGj9x2mMvRoKLG4ANS...