Threat actors with suspected ties to Russia are now exploiting a Google account feature called application specific passwords. This novel social engineering tactic is specifically designed to gain persistent access to the email accounts of their selected victims. Details of this highly targeted campaign were disclosed by Google’s Threat Intelligence Group (GTIG) and also by the Citizen Lab. The activity seeks to impersonate the U.S. Department of State to lend credibility to their deceptive phishing email communications. From at least April through early June 2025, this actor targeted prominent academics and also various well-known critics of Russia.
The social engineering attack unfolds over a span of several weeks to patiently establish a strong rapport with all the targets.
This approach avoids inducing a sense of pressure or urgency that may have otherwise raised some suspicion from the intended victims. It involves sending benign-looking phishing emails that are disguised as meeting invitations from what appears to be a legitimate source. These emails include no less than four different fictitious addresses with the “@state.gov” email address in the CC line. The Citizen Lab noted a target might reason that if this isn’t legitimate, surely one of these State Department employees would say something.
These meticulously planned attacks trick victims into creating a 16-digit passcode that gives the adversary permission to access their mailbox. They are asked to do this under the pretext of enabling “secure communications between internal employees and also external partners.” Google describes these app passwords as a way for a less secure application or device to access a user’s Google account. This is specifically for accounts that have two-factor authentication, also known as 2FA, enabled on them for their online security.
The initial messages are designed to elicit a response from the target to set up a meeting, after which they are sent steps.
The attackers then set up a mail client to use the application specific password, likely with the end goal of accessing and reading. This method also allows the attackers to have very persistent access to the compromised accounts for an extended period of time. Google has said it observed a second campaign that was bearing Ukrainian themes, and that the attackers logged into victim accounts. They logged in mainly using residential proxies and also various VPS servers in order to evade detection by security monitoring systems. The company stated it has since taken proactive steps to secure all the accounts that were compromised by these phishing campaigns.
