Phishing attacks leveraging app-specific passwords to compromise Google mailboxes

Security researchers from Google and Citizen Lab have identified a sophisticated phishing campaign conducted by the Russia state-sponsored threat actor UNC6293, which targets prominent academics and critics of Russia. This campaign exploits Application-Specific Passwords (ASPs) to gain persistent, unauthorized access to victims’ mailboxes.

‍

Attack Methodology

The attackers impersonate credible entities, such as the U.S. Department of State, and engage targets through carefully crafted emails designed to establish trust. Targets are instructed to create App-Specific Passwords under the guise of facilitating access to secure, official communication channels. Victims, unaware of the implications, provide these ASPs to the attackers, who then use the credentials to maintain persistent access to their email accounts.

‍

Attacker Techniques

• Attackers utilize benign-looking PDF documents instructing victims to create ASPs.
• Lures often impersonate government communications, falsely signaling official usage.
• The attack spans multiple email exchanges to enhance credibility and reduce suspicion.
• Infrastructure used includes residential proxies and virtual private servers (VPS) for anonymity and evasion.

‍

Recommendations

• Limit or disable the use of App-Specific Passwords where possible.
• Educate users about the risks of sharing ASPs and how attackers might exploit these credentials.
• Implement Google’s Advanced Protection Program (APP) for high-risk users to restrict ASP creation.
• Regularly audit accounts for suspicious activity or unauthorized ASP creations.
• Conduct out-of-band verification (e.g., via direct phone call) when receiving unusual requests for sensitive actions.