Google recently fixed an authentication vulnerability that allowed scammers to bypass email verification and create Google Workspace accounts to impersonate domain holders in third-party applications that use “Sign in with Google”. This small-scale abuse campaign affected a few thousand Workspace accounts and Google blocked potentially malicious accounts. Anu Yamunan stated the malicious activity started in late June and attackers utilized a specifically-constructed request to bypass email verification during account sign-up. Google has since added extra detection measures to prevent these authentication bypasses. The company confirmed no abuse occurred within Google services, but rather attackers sought to impersonate domain holders on other online platforms.
https://krebsonsecurity.com/2024/07/crooks-bypassed-googles-email-verification-to-create-workspace-accounts-access-3rd-party-services/