Not sneaky but thorough. With TSM, we had one malware which went out and deleted the backup copies and another that touched all the files and ran backups multiple times to make sure the original data was gone. When lots of money is involved you should expect that developers will have taken backup strategies into account - they are usually one step ahead of you.

The subject was "XXXX has shared a document on Google Docs with you". That is the exact subject format for legit use of Google Docs sharing. The To in the body was "hhhhhhhhhhhhhhhh@mailinator.com" - that should have been the giveaway. I believe most if not all email clients will display this string (my Outlook will) - however, if the phishing program had used the name from the address book (it already had the email address from the address book) then this would have fooled ever more people.

A phish that uses a legitimate login page has to be a first. From what I've seen, anti-phishing education stresses distinguishing between fake and real login pages - that education is useless in this case. This seems to be a major flaw in how the google authentication page is designed. They may have patched this particular case but doesn't the underlying problem still exist?