Threat actors suspected of ties with Russia are being observed using Google account features called application-specific passwords (or app passwords) as part of a new social engineering tactic designed to access victim emails.
Details about the highly targeted campaign have been disclosed by Google Threat Intelligence Group (GTIG) and Citizen Lab, saying that the activity is attempting to impersonate the US Department of State.
“From at least April to early June 2025, the actor targeted prominent Russian scholars and critics, often using extensive trust buildings and tailor drulers to persuade the target to set application-specific passwords (ASPs).
“When a target shares an ASP passcode, the attacker establishes permanent access to the victim’s mailbox.”
This activity is attributed to a threat cluster tracked by Google as UNC6293 and may be related to a Russian state sponsored hacking group called APT29 (aka Bluebravo, Cloaked Ursa, Cozylarch, Cozy Bear, Icecap, Midnight Blizzard, Dukes).
Social engineering will unfold over several weeks to establish relationships with your target.
This will lend you a benign phishing email filled with invitations that contain four or more different fictitious addresses, including the CC Line “@state.gov” email address, and a reliable veneer.
“The goal is, if this is not legal, one of these State Department employees will say something, especially if I respond to and hold it back to the CC Line,” the Civic Research Institute said.
“The attackers believe that the State Department’s email server is clearly configured to accept all messages and that they do not release a ‘bounce’ response even if the address does not exist. ”
This shows that these attacks are meticulously planned and run to trick victims into splitting a 16-digit passcode, giving permission to access the mailbox under the pretext of allowing “secured communication between internal employees and external partners.”
Google describes passwords for these apps as methods for less secure apps or devices, and describes the ability to access Google accounts of users with two-factor authentication (2FA) enabled.
“Using two-stage verification can block some less secure apps and devices from accessing your Google account,” the company said. “App passwords are a way to enable blocked apps or devices to access your Google account.”
The first message is designed to elicit responses from the target to set up a meeting, then sends a PDF document listing a series of steps to create an app password to securely access and share your code into a fake department cloud environment.
“The attacker then sets up an email client to use an ASP and uses the ASP with the ultimate goal of accessing and reading the victim’s email communications,” GTIG said. “This method allows the attacker to have permanent access to the account.”
Google observed a second campaign that included a Ukrainian theme, saying that the attackers were logged in to victim accounts that avoid detection, primarily using housing proxy and VPS servers. The company said it has taken steps to secure accounts that have been breached by the campaign.
The UNC6293 relationship with APT29 comes from a series of similar social engineering attacks that gained unauthorized access to Microsoft 365 accounts since the beginning of the year, leveraging new techniques such as device code phishing and devices.
Participation in the device is particularly noteworthy for the fact that it tricks the victim into sending Microsoft-generated OAuth code back to the attacker and hijacks the account.
“Since April 2025, Microsoft has observed suspected threat actors related to Russia using third-party application messages or emails referring to invitations for upcoming meetings to provide malicious links with valid authorization codes,” Microsoft revealed last month.
“When you click, the link returns a token for the Device Registration Service, allowing the threat actor’s device to be registered with the tenant.”
