APT29 Exploits Gmail App Passwords to Bypass MFA in Spear-Phishing Attacks
June 23rd, 2025
Severity Level: Medium
Technical Details
Threat Actor: Russian APT29 (UNC6293).
Severity: Medium.
Exploit Method: Social engineering via email.
Tactics: Long-term engagement.
Goal: Harvest emails, sensitive content, and maintain mailbox persistence.
The attackers initiate contact through highly personalized phishing emails, often impersonating entities such as the U.S. State Department, using tactics like flawless English and legitimate-looking PDF documents to build rapport over multiple exchanges. Once trust is established, victims are persuaded to generate a 16-character ASP, which the attacker then uses to gain full access to the victim's Gmail account without triggering any multi-factor authentication (MFA) challenge.
Our Cyber Threat Intelligence Unit has identified a sophisticated cyber-espionage campaign conducted by the Russian-linked threat actor APT29/UNC6293. This attack exploits Google app-specific passwords (ASPs) through sophisticated social engineering tactics, coercing victims into generating ASPs that effectively bypass multi-factor authentication. This method grants attackers persistent, covert access to Gmail accounts and is often used to spy on high-profile targets. The exploitation of ASPs highlights a critical vulnerability in systems that continue to rely on outdated authentication methods.
Impact
Successful exploitation can result in:
Bypassing Gmail’s MFA protections entirely.
Complete mailbox compromise, including private and confidential emails.
Continuous monitoring, with attackers potentially intercepting and altering communications.
Credential misuse for lateral attacks or future phishing.
Given APT29’s history, this method poses serious risks to high-profile individuals and governments.
Detection Method
To identify attempted or successful intrusions:
Review Gmail Account Activity: Check for suspicious logins from unfamiliar IP addresses or locations.
Audit ASP Usage: In Google Account settings, inspect for unusual or newly created app-specific passwords.
Analyze Email History: Search for PDF attachments that teach ASP creation steps.
Monitor Logs: Check for mailbox access without standard two-factor authentication (2FA) events.
Identify Proxies: Flag connections routed through residential IP ranges or known proxy networks.
Indicators of Compromise
Type | Indicator | Description |
SHA256 File Hash | 329fda9939930e504f47d30834d769b30ebeaced7d73f3c1aadd0e48320d6b39 | A malicious PDF file used in a phishing email attachment |
IP Address | 91.190.191.117 | Malicious IP linked to unauthorized Gmail ASP access |
Recommendations
Do Not Share App-Specific Passwords: Treat them like real passwords, as they can bypass multi-factor authentication (MFA) controls.
Verify Suspicious Activity: Independently confirm with suspicious senders through separate communication methods.
Enable Google Advanced Protection: Provides enhanced security and reduces ASP misuse.
Review Account Security Weekly: Check for unfamiliar Application Service Providers (ASPs) or unusual session logs.
Raise Awareness: Educate high-risk users about this ASP phishing technique.
Limit ASP usage: Allow their creation only when necessary.
Monitor Mailbox Access Patterns: Especially from residential or proxy-based IP ranges.
Apply AI-Enabled Email Filters: To detect and quarantine social engineering patterns used in this campaign.
Conclusion
The APT29 app-specific password (ASP) phishing campaign represents a new evolution in social engineering, characterized by its high level of targeting, patience, and deceptive simplicity. By convincing victims to generate ASPs, attackers effectively bypass multi-factor authentication and breach high-value Gmail accounts without the need for malware or fake login pages. This credibility-driven tactic is extremely difficult to detect with automated tools or traditional antivirus solutions. This instance highlights a growing trend: threat actors exploiting human behavior over technical vulnerabilities. Mitigating this threat requires heightened user awareness, secure Gmail configurations and a layered defense strategy including behavioral detection and zero-trust principles.