"How the Attack works
According to Check Point’s report, this newly discovered campaign uses a tool called Google Cloud Application Integration. This service is normally used by companies to set up workflow automation, like sending automatic alerts. However, scammers have found a way to use this feature to send emails directly from a legitimate Google address: noreply-application-integration@google.com.
Because the emails come from a real Google domain, they easily bypass traditional security filters. Probing further, researchers found that the messages usually look like standard office notifications, claiming you have a new voicemail or need to view a “Q4” file. As we know it, such content makes the emails look like “routine enterprise notifications,” which is why so many people trust them."
Ouch. In retrospect, that seems like something that should have been locked down.
According to the article, 9000 emails were sent, so not a huge campaign but a very effective one.