> Next, they create a Google OAuth application. For the name of the application, they enter <i>the entire text of the Phishing message</i> - newlines and all - followed by a lot of whitespace, and "Google Legal Support".<p>So the meat of the issue is.. Google allows very long oauth application display names, which can look like an email body when they send notifications about that application?<p>In Microsoft-land this field ("display name") is limited to 120 characters.