This sounds like a classic account recovery scam where the scammer uses Google's account recovery feature to gain access to the account. Once they have the 2FA code, they're in. This time the scammer used an account takeover as the pretense for needing the code.

As for the email, this blog post ( https://sammitrovic.com/infosec/gmail-account-takeover-super... ) from about a year ago notes that somehow scammers were/are using Salesforce to spoof emails from Google that appear legitimate. Seems like something similar happened here, but there's no way to be sure without the headers which the scammer seemingly cleaned up.

The FTC reported that scam losses totaled 12.5 billion last year. These scams are elaborate and convincing even for folks who make a living in tech. ( https://www.ftc.gov/news-events/news/press-releases/2025/03/... )

At any rate, sorry this happened OP. Stay safe, folks.