> Next, they create a Google OAuth application. For the name of the application, they enter the entire text of the Phishing message - newlines and all - followed by a lot of whitespace, and "Google Legal Support".

So the meat of the issue is.. Google allows very long oauth application display names, which can look like an email body when they send notifications about that application?

In Microsoft-land this field ("display name") is limited to 120 characters.