Threat actors with suspected ties to Russia have been observed taking advantage of a Google account feature called application specific passwords (or app passwords) as part of a novel social engineering tactic designed to gain access to victims’ emails.
Details of the highly targeted campaign were disclosed by Google Threat Intelligence Group (GTIG) and the Citizen Lab, stating the activity seeks to impersonate the U.S. Department of State.
“From at least April through early June 2025, this actor targeted prominent academics and critics of Russia, often using extensive rapport building and tailored lures to convince the target to set up application specific passwords (ASPs), GTIG researchers Gabby Roncone and Wesley Shields said.
“Once the target shares the ASP passcode, the attackers establish persistent access to the victim’s mailbox.”
The activity has been attributed by Google to a threat cluster it tracks as UNC6293, which it says is likely affiliated with the Russian state-sponsored hacking group called APT29 (aka BlueBravo, Cloaked Ursa, CozyLarch, Cozy Bear, ICECAP, Midnight Blizzard, and The Dukes).
The social engineering unfolds over a span of several weeks to establish rapport with targets, rather than induce a sense of pressure or urgency that may have otherwise raised suspicion.
This involves sending benign phishing emails disguised as meeting invitations that include no less than four different fictitious addresses with the “@state.gov” email address in the CC line to lend it a veneer of credibility.
“A target might reason ‘if this isn’t legitimate, surely one of these State Department employees would say something, especially if I reply and keep them on the CC line,'” the Citizen Lab said.
“We believe that the attacker is aware that the State Department’s email server is apparently configured to accept all messages and does not emit a ‘bounce’ response even when the address does not exist.”
This indicates that these attacks are meticulously planned and executed to trick victims into parting with a 16-digit passcode that gives the adversary permission to access their mailbox under the pretext of enabling “secure communications between internal employees and external partners.”
Google describes these app passwords as a way for a less secure app or device the ability to access a user’s Google account that has two-factor authentication (2FA) enabled.
“When you use 2-Step Verification, some less secure apps or devices may be blocked from accessing your Google account,” per the company. “App passwords are a way to let the blocked app or device access your Google account.”
The initial messages are designed to elicit a response from the target to set up a meeting, after which they are sent a PDF document that lists a series of steps to create an app password in order to securely access a fake Department of State cloud environment and share the code with them.
“The attackers then set up a mail client to use the ASP, likely with the end goal of accessing and reading the victim’s email correspondence,” GTIG said. “This method also allows the attackers to have persistent access to accounts.”
Google said it observed a second campaign bearing Ukrainian themes, and that the attackers logged into victim accounts mainly using residential proxies and VPS servers to evade detection. The company said it has since taken steps to secure the accounts compromised by the campaigns.
UNC6293’s ties to APT29 stem from a series of similar social engineering attacks that have leveraged novel techniques like device code phishing and device join phishing to gain unauthorized access to Microsoft 365 accounts since the start of the year.
Device join phishing is particularly noteworthy for the fact that it tricks victims into sending back to the attackers a Microsoft-generated OAuth code to hijack their accounts.
“Since April 2025, Microsoft has observed suspected Russian-linked threat actors using third-party application messages or emails referencing upcoming meeting invitations to deliver a malicious link containing valid authorization code,” Microsoft revealed last month.
“When clicked, the link returns a token for the Device Registration Service, allowing registration of the threat actor’s device to the tenant.”
