If I have to make a guess, it wasn't just any Google Workspace app but Gmail. The attacker gained broad access to the victim's inbox. They where then able to login into some internal systems using magic links or one-time codes.

It begs the question why there is no 2FA? And why did they had such a broad access to being with?

If this is not case, the only other option I can muster is perhaps API credentials but stored in google workspaces? It is possible but odd.