Lorenzo Franceschi-Bicchierai, reporting for Motherboard:

The “Change Password” button linked to a short URL from the Tiny.cc link shortener service, a Bitly competitor. But the hackers cleverly disguised it as a legitimate link by using Google’s Accelerated Mobile Pages, or AMP. This is a service hosted by the internet giant that was originally designed to speed up web pages on mobile, especially for publishers. In practice, it works by creating a copy of a website’s page on Google’s servers, but it also acts as an open redirect.

According to Citizen Lab researchers, the hackers used Google AMP to trick the targets into thinking the email really came from Google.

“It’s a percentage game, you may not get every person you phish but you’ll get a percentage,” John Scott-Railton, a senior researcher at Citizen Lab, told Motherboard.

So if the victim had quickly hovered over the button to inspect the link, they would have seen a URL that starts with google.com/amp, which seems safe, and it’s followed by a Tiny.cc URL, which the user might not have noticed. (For example: https://www.google[.]com/amp/tiny.cc/63q6iy)