«Since phishing has become much more common, network administrators have made a habit of telling users never to click on password reset links that go to different domains. Because of the way that Google has implemented AMP, however, Gmail users and people using Google apps for institutional use are now more vulnerable to such attacks. Phishers who use AMP pages can thereby employ official « google.com » web addresses to direct users to malicious sites».

Source : Russian hackers exploited a Google flaw the company has refused to fix – Salon.com