Yeah, that part doesn't add up. If the email was sent by the attacker, why did it have a code he needed to give the attacker?

▲

davidscoville 4 days ago | parent | next [-]

Yes, at least two emails. One was the spoofed email from legal@google.com (which sadly convinced me this was legit) and the other was a Google recovery code email.

The spoofed email was deleted by the attacker, but I have a copy because I forwarded the email to phishing@google.com (something ChatGPT told me to do). The attacker then deleted the original but when I got my account back an hour later, Google bounced back the email. So that is the copy I have and the headers are not super helpful.

	▲	blactuary 4 days ago \| parent \| next [-]
		"(something ChatGPT told me to do)" You're going to get hacked again
	▲	digianarchist 4 days ago \| parent \| prev \| next [-]
		Any check mark? https://www.thesslstore.com/blog/wp-content/uploads/2023/05/... Edit: I searched my email and it doesn't look like they are doing this at all with their accounts. Edit II: Looks like it's on hold: https://blog.kickbox.com/gmail-bimi-exploit-what-you-need-to...
	▲	furyofantares 4 days ago \| parent \| prev \| next [-]
		That makes sense, thanks for the clarification.
	▲	4 days ago \| parent \| prev \| next [-]
		[deleted]
	▲	thebytefairy 4 days ago \| parent \| prev [-]
		What was the process for getting your account back?

▲

wmf 4 days ago | parent | prev [-]

I think the attacker asked him to read an SMS code.

	▲	4 days ago \| parent [-]
		[deleted]