The article states that all the emails appeared to be from official Harvard email addresses.
At some universities, it’s possible to create email aliases at your .edu domain, so it’s possible that the scammer had access to one or more convincing email addresses.
That greatly increases the level of sophistication.
The article doesn’t say that the emails received were “@harvard.edu” only that they appeared to be valid Harvard ids. That means she made a judgement call that the email were legitimate, but it doesn’t give very many technical details on what she judged that call on.
This makes me assume that the bits she's most embarrassed about (a fact-checker should be able to find out what the valid Harvard email domains are) are the one she glossed over.
At some universities, it’s possible to create email aliases at your .edu domain, so it’s possible that the scammer had access to one or more convincing email addresses.