Generally, you can tell a phishing attack from bad grammar and spelling, or a fishy url (sorry, I couldn't resist).
This time, it's different:
"An email lands in the target inbox from the hacked address, and here's where it gets tricky: The phishing email uses a legitimate subject line, text, and attachments from emails already sent by that account, making it look completely legitimate.
The phishing email comes with an "attachment" that is actually a screenshot of an attachment sent by that account in the past, like a spreadsheet or a PDF, for example. The trick is that the fake attachment screenshot is an embedded image with a link in it that takes the victim to what looks like a Google login page.
Thinking they need to re-authorize their account to view the attachment the user logs in, and their account is now in the hands of hackers. The cycle starts all over again—just one compromised account has the potential to affect dozens more." - TechRepublic
Luckily, it isn't perfect. "There's just one exception, and it's the key to avoiding it: The URL is preceded by "data:text/html." That prefix is telling your web browser to treat the document at the phishing website as HTML, which in turn is generating an address that looks just like a real Google login page, complete with the appropriate URL. The second you log in hackers have access to your account, and victims have said they're taking advantage of it right away." (ibid).
Two-factor authentication is a good way to proactively secure Google and other accounts from phishing and hacks. Take the time to do it now.