What is the Google App-Specific Password social engineering attack?

A sophisticated social engineering campaign attributed to state-sponsored threat actors successfully compromised email accounts of prominent academics and critics of Russia by exploiting Google App-Specific Passwords (ASPs). The attack operated from at least April through early June 2025 and represents an evolution in cyber espionage tactics.

How did the attackers use App-Specific Passwords in their scheme?

The core deception centered on convincing targets to create App-Specific Passwords under the guise of registering for a fictitious 'MS DoS Guest Tenant' platform. Attackers provided professionally crafted PDF documents that appeared to be official State Department publications, walking victims through the ASP creation process step-by-step.

Who was the most publicized victim of this campaign?

Keir Giles, a prominent British expert on Russian information operations and senior consulting fellow at Chatham House, was the most publicized victim. His targeting commenced on May 22, 2025, when he received an email from someone purporting to be U.S. State Department official 'Claudie S. Weber.'

How did the attackers make their emails appear legitimate?

The attackers supported their emails by adding recipients with fake @state.gov email addresses in the CC field. Victims seeing these email addresses would assume they were real and that if anything was wrong, these people would react. However, these CC-ed @state.gov recipients were fake, discoverable only if victims clicked 'reply to all' and received 'no such user' errors.

How patient and sophisticated were these attackers?

The attackers were very patient and adaptable, engaging in weeks-long conversations with more than 10 email exchanges. When Giles initially experienced difficulties creating ASPs, the attackers provided detailed troubleshooting assistance, even requesting screenshots of specific Google account pages to resolve issues.

What type of data was potentially compromised?

Compromised data included email correspondence and communications, account access credentials (App-Specific Passwords), and potentially sensitive research and academic materials related to Russian operations. The victim suspects the material may be manipulated and selectively released in future information operations.

How widespread was this attack campaign?

While Keir Giles represents the most publicized victim, Google observed a second campaign bearing Ukrainian themes, indicating broader operational scope. Researchers have seen similar attacks on academics and Russia critics from April through early June 2025. Google noted the attacks were not 'widespread' due to their resource-intensive nature.

Who is believed to be behind these attacks?

The attacks are attributed to state-sponsored threat actors, likely with connections to Russia given the targeting of prominent academics and critics of Russia. The sophisticated nature and patience of the operation suggest well-resourced threat actors with cyber espionage capabilities.

Why is this attack particularly concerning for academics and researchers?

This attack is particularly concerning because it specifically targeted academics and critics of Russia, suggesting state-sponsored intelligence gathering operations. The compromised research and communications could be used for future information operations, manipulation, or to compromise ongoing academic research on sensitive geopolitical topics. The sophisticated social engineering demonstrates how threat actors are adapting to bypass modern security measures like multi-factor authentication.

Scam/Phishing

State-sponsored attackers conduct complex Social Engineering campaign targeting App-Specific passwords to bypass MFA

Q: When was the breach discovered and how?

Google detected the suspicious activity on June 4, 2025, nearly two weeks after the attack began, when the company's security systems detected unauthorized access from a Digital Ocean IP address (178.62.47[.]109). Google sent Giles a notification about the suspicious login attempt.

published: June 22, 2025

Take action: A very complex and systemic social engineering attack to bypass MFA protections by persuading the victim to give the attackers a password. Never create Google App-Specific Passwords based on unexpected email requests, even if they appear to come from legitimate government agencies with official-looking documents and CC'd email addresses. Be VERY careful about such unexpected emails, call and confirm independently.

Learn More

A sophisticated social engineering campaign attributed to state-sponsored threat actors successfully compromised the email accounts of prominent academics and critics of Russia by exploiting a novel attack method involving Google App-Specific Passwords (ASPs).

The attack campaign, which operated from at least April through early June 2025, is an evolution in cyber espionage tactics as threat actors adapt to expanded multi-factor authentication.

What are App-Specific Passwords?

Google App-Specific Passwords (ASPs) are 16-character authentication codes that allow third-party applications to access your Google account when those applications cannot support Google's standard two-factor authentication (2FA) or modern authentication protocols.

When you enable two-factor authentication on your Google account, some older applications or devices may not be able to handle the additional security step required during login. Instead of entering your regular Google password, you create an App-Specific Password that acts as a substitute credential for that particular application.

The basic process:

You generate an ASP through your Google Account security settings
You enter this 16-character code as the "password" in the third-party application
The application can then access your Google services (like Gmail or Google Drive) without triggering 2FA prompts
Each ASP is unique and can be revoked individually without affecting other apps or your main account password

Attack scenario

The attack technique gained public attention when Keir Giles, a prominent British expert on Russian information operations and senior consulting fellow at Chatham House, was targeted. On May 22, 2025, a sender purporting to be U.S. State Department official "Claudie S. Weber" sent an email to Mr. Giles , initiating what would become a weeks-long conversation with more than 10 email exchanges.

The core deception centered on convincing targets to create App-Specific Passwords under the guise of registering for a fictitious "MS DoS Guest Tenant" platform. The attackers provided professionally crafted PDF documents that appeared to be official State Department publications, complete with proper formatting, markings, and revision history, walking victims through the ASP creation process step-by-step.

Screenshot of an email with fake CC-d users with @state.gov addresses. Source Citizenlab.ca

The attackers supported their emails by adding recipients with @state.gov email addresses in the CC field. A victim seeing these email addresses in CC will assume that they are real and that if anything was wrong these people will react. Naturally, these CC-ed @state.gov recipients were fake, but the target has no way of knowing that unless they click "reply to all" and get "no such user" error.

But we are all trained to be careful with "reply to all".

Fake offer to join the DoS Guest Tenant. Source Citizenlab.ca

The attackers were very patient and adaptable. When Giles initially experienced difficulties creating ASPs on his primary accounts, the attackers provided detailed troubleshooting assistance, even requesting screenshots of specific Google account pages to resolve issues.

Screenshot of a fake document created by the attackers. Source Citizenlab.ca

The campaign began in April 2025 and continued through early June 2025. Giles' specific targeting commenced on May 22, 2025, with the initial contact email. Google sent Giles a notification saying that it had sniffed out a suspicious log-in attempt on June 4, nearly two weeks after the attack began, when the company's security systems detected unauthorized access from a Digital Ocean IP address (178.62.47[.]109).

Compromised Data Types

Email correspondence and communications
Account access credentials (App-Specific Passwords)
Potentially sensitive research and academic materials related to Russian operations

Scope and Impact: While Keir Giles represents the most publicized victim of this campaign, Google said it observed a second campaign bearing Ukrainian themes indicating broader operational scope. GTIG researchers have seen similar attacks on academics and Russia critics from April through early June. Google researchers note the attacks were not "widespread" due to their resource-intensive nature. The exact number of affected individuals across both campaigns is not disclosed.

Mr. Giles has publicly shared his suspicion that the material exfiltrated from his accounts is likely to be manipulated and selectively released as part of a future information operation.

Google's security systems eventually detected the suspicious activity and secured the compromised accounts. The company has since recommended that high-risk individuals enroll in Google's Advanced Protection Program, which prevents the creation of App-Specific Passwords due to enhanced security requirements.

Organizations are advised to audit their use of ASPs and disable them unless specifically needed for legitimate business purposes.

State-sponsored attackers conduct complex Social Engineering campaign targeting App-Specific passwords to bypass MFA

Read More
Checkpoint warns of phishing campaign that emulates potential …
Cloud storage "payment failed" phishing attack
North Korean hackers deploy malware during technical job …
Phishing Attack faking link to signed contract and …
Phishing attack impersonating Coinbase