Attackers send emails to Gmail accounts. On opening the email, that appears to have come from a known individuall, it prompts one to open an embedded image that has been crafted to look like a PDF. Clicking on the image one would expect a preview to pop up, but what comes up is a new tab opens prompting a Gmail sign in again. The tab looks quite like the real thing but it links to a fake login site.
If one logis in, then one ends up giving up one's login and password to cyber criminals who then use that account to send out messages to all your contacts. The process is very quick, suggesting it is automated.
The cyber criminal now has access to the compormised account, its emails, calendar and contacts, and can download the lot for later analysis or machine learning to build a better profile.
The only protection is to be aware of the trick and not log in when the image appears. The site Have I been pwned, run by Tory Hiunt, can allegedly check if an email address has been compromised.
Google said in a statement to Wordfence, “We’re aware of this issue and continue to strengthen our defences against it. We help protect users from phishing attacks in a variety of ways, including machine learning-based detection of phishing messages, Safe Browsing warnings that notify users of dangerous links in emails and browsers, preventing suspicious account sign-ins, and more. Users can also activate two-step verification for additional account protection.”