Wordfence covers an extremely clever attack initiated when a GMail user clicks on an attachment.  A new tab opens up and you are prompted by Gmail to sign in again. You glance at the location bar and you see accounts.google.com in there but it isn’t the domain the text is sent to.  If the URL starts data:text/html, the domain name will be at the end not the start of the string.