Looks really wide. It hit our org too. Though in our case, we don't use Google accounts internally, and hence it isn't a threat to us.

And it looks like Google is responding. The link in the emails no longer works, as the OAuth credentials have been revoked. I assume Google will be removing all the applicable app permission grants themselves.

Very. Convincing and nicely coded to spread.

Thankfully, the attack method means Google just has to shut off the app in their systems (which they appear to have done).