A critical vulnerability has been discovered in the Google Apps for Work that allows hackers to abuse any website’s domain name based email addresses, which could then be used to send phishing emails on company’s behalf in order to target users. Cyber security researchers found that an attacker can register any unused (not previously registered with Google apps service) domain, example:with Google apps for Work to obtain ‘admin@bankofanycountry.com’ account. Researchers reported this security and privacy issue to the search engine giant, and the company has applied a partial patch to the flaw.
Source: https://thehackernews.com/2015/03/google-apps-vulnerability.html