The attacker sends 0 tokens from your address without your private keys. The address is very similar that you send tokens to. Then a user copies address and accidentally sends tokens to scammer.
This is impossible.
People can't send coins from your address without your private key, but what they can do is generate those transactions with a smart contract once users have interacted with it.
And is important to say this transaction had a cost, it wasn't totally free, the one who spent cero dollars with multiple inputs and outputs had to pay a transaction fee for it. So, if this is an attack, I don't think it will be brute-forced because each transaction has a cost.