A phishing campaign rapidly spread on May 3, 2017 targeting Google accounts.
OAuth based attacks attempt to trick end users into giving access to a third party app to your Google account. Similar to many attacks, it starts with a phishing email that tricks the end user to click a link, which then prompts them to grant access to a third party app. This is a pretty common workflow when working with apps that integrate with Google, so it's not uncommon for end users to blindly click the 'Allow' button without reading what access they are granting to the app, or even if it makes sense for the prompt to show up.
If they granted access to the malicious app, that app would then reach out to the emails in that user's contact list, so the email would then spread using legitimate email addresses and wouldn't be flagged as suspicious.
To verify whether an end user has been impacted, G Suite admins can check an end user's Security settings by going to Users>[select a user]>Show more>Security>Authorized access, in the G Suite Admin Dashboard. Admins are able to revoke access to any of these apps.
End users can check their own connected app permissions by navigating to https://myaccount.google.com/permissions while they have an active G Suite session. Even if they did not receive the phishing email today, it's good practice to check connected apps periodically.