APT29 Leverages Gmail App Password Vulnerabilities to Evade Two-Factor Authentication in Targeted Phishing Operations

Recent investigations have revealed that threat actors with potential connections to Russia are exploiting a specific Google account feature known as application-specific passwords (ASPs) as a part of an innovative social engineering strategy aimed at gaining unauthorized access to email accounts.

The Google Threat Intelligence Group (GTIG), in collaboration with Citizen Lab, reported on this extensively targeted campaign which seeks to masquerade as the U.S. Department of State. The detailed analysis indicates that from at least April to early June 2025, the actors have focused on prominent academics and notable critics of Russia. They have employed an approach involving extensive rapport-building and customized lures to convince their targets to generate application-specific passwords.

According to GTIG researchers Gabby Roncone and Wesley Shields, “Once the target shares the ASP passcode, the attackers establish persistent access to the victim’s mailbox.”

This campaign has been linked to a threat actor cluster identified by Google as UNC6293, which is believed to be associated with the Russian state-sponsored hacking group known as APT29, among other aliases such as BlueBravo, Cozy Bear, and Midnight Blizzard.

The execution of the social engineering tactics is notably deliberate, spanning several weeks to build trust rather than applying undue pressure that could arouse suspicion. Attackers send innocuous phishing emails, disguised as meeting invitations, which include multiple fictitious addresses with the “@state.gov” domain in the CC list. This tactic creates an illusion of legitimacy.

A target may contemplate that “if this is not legitimate, surely one of these State Department employees would say something, especially if I reply and keep them on the CC line,” as noted by Citizen Lab.

Furthermore, it has been observed that the State Department’s email configuration accepts all messages and does not return a bounce notification even for non-existent addresses, a factor that may further embolden attackers in their operations.

The fundamental goal of these attacks is to deceive victims into disclosing a 16-digit passcode under the guise of facilitating “secure communications between internal employees and external partners.” The ASPs allow less secure apps or devices to access a Google account, particularly when two-factor authentication (2FA) has been enabled.

Google elucidates that “when you use 2-Step Verification, some less secure apps or devices may be blocked from accessing your Google account. App passwords are a way to let the blocked app or device access your Google account.”

Initially, the attackers reach out to the targets to initiate a meeting, after which they provide a PDF with a series of steps to create an ASP supposedly for secure access to a fabricated Department of State cloud service. This step aims to ensure the victims share the ASP with the attackers.

The attackers subsequently configure a mail client to utilize the ASP, thereby granting them ongoing access to the victim’s email correspondence, as noted by GTIG. Google has identified an additional campaign with an emphasis on Ukrainian themes, in which attackers have logged into victim accounts using residential proxies and Virtual Private Servers (VPS) to obscure their activities. Measures have been implemented to enhance security for accounts compromised during these campaigns.

The affiliation of UNC6293 with APT29 is reinforced by a pattern of similar social engineering attacks employing innovative methods, such as device code phishing and device join phishing, to gain unauthorized access to Microsoft 365 accounts since the beginning of the year.

Device join phishing is particularly concerning as it deceives victims into providing attackers with a Microsoft-generated OAuth code, which can be exploited to hijack accounts. Microsoft reported last month that since April 2025, Russian-linked threat actors have been using third-party application messages or emails pertaining to upcoming meetings to distribute malicious links that yield valid authorization codes. Clicking these links could grant threat actors registration to devices on the tenant’s network.