Gmail

Attackers used Gmail’s dot-alias quirk plus HTML in a device-name field to slip phishing links into messages that still passed sender checks.