Looks like the attacker set "legal@google.com" as expeditor name, so that's what showed on the author's phone, that's it.

▲

oliwarner 4 days ago | parent | next [-]

Which should trigger every automated alarm bell, as well as SPF/DKIM checks. Which is where this falls apart slightly because in my experience, Gmail is pretty alert about flagging basic things like this.

The headers uploaded are the report email being sent to Google, not the original incoming email. We still don't know how this was spoofed.

▲

karakot 4 days ago | parent | prev | next [-]

I just put it into subject and that's how it looks like in my inbox

https://imgur.com/a/Ki2cciH

minimal efforts, won't pass any scrutinity but someone panicking might miss it.

Thanks OP for the thread, very enlightening.

	▲	oliwarner 4 days ago \| parent [-]
		The screenshot in TFA shows the subject was "Recent Case Status" and the sender was Google <legal@google.com>. This wasn't as simple as a dodgy subject. I wonder how many people would fall for that though.

▲

cpncrunch 4 days ago | parent | prev [-]

What exactly is "expeditor name"?