It does. It's not obvious from the writing but Google actually sent this email to the attacker (which then redirected it mostly unchanged except for the To: header).

The main content of the email is text used for the "App Name" field of the attacker's OAuth app. This explains why the screenshot of the email actually does look weird, with unlinked URLs and weird formatting.

I'm pretty sure there is a lot more at the end of the email that makes it obvious it's not legitimate. But then I also understand how quite a few people wouldn't even get to the end.

The attacker did not change the To: header. This would invalidate the DKIM signature and result in a DMARC fail and the message landing in Spam (or being rejected).

You can receive e-mail with a To: header saying anything. It doesn't have to be you.