An article worth reading from the Malwarebytes News Letter

Gmail’s multi-factor authentication bypassed by hackers to pull off targeted attacks

Posted: June 23, 2025 by Pieter Arntz

Russian hackers have bypassed Google’s multi-factor authentication (MFA) in Gmail to pull off targeted attacks, according to security researchers at Google Threat Intelligence Group (GTIG).

The hackers pulled this off by posing as US Department of State officials in advanced social engineering attacks, building a rapport with the target and then persuading them into creating app-specific passwords (app passwords).

App passwords are special 16-digit codes that Google generates to allow certain apps or devices to access your Google Account securely, especially when you have MFA enabled.

Normally, when you sign in to your Google account, you use your regular password plus a second verification step like a code sent to your phone. But since some older or less secure apps and devices—like certain email clients, cameras, or older phones—are unable to handle this extra verification step, Google provides app passwords as an alternative way to sign in.

However, because app passwords skip the second verification step, hackers can steal or phish them more easily than a full MFA login.

In an example provided by CitizenLab, the attackers initially made contact by posing as a State Department representative, inviting the target to a consultation in the setting of a private online conversation.

Although the invitation came from a Gmail account, it CCed four @state.gov accounts, giving a false sense of security and making the target believe that other people at the State Department had monitored the email conversation.

Most likely, the attacker fabricated those email addresses, knowing that the State Department’s email server accepts all messages and does not send a bounce response even if the addresses do not exist.

As the conversation unfolded and the target showed interest, they received an official looking document with instructions to register for an “MS DoS Guest Tenant” account. The document outlined the process of “adding your work account… to our MS DoS Guest Tenant platform,” which included creating an app password to “enable secure communications between internal employees and external partners.”

So, while the target believes they are creating and sharing an app password to access a State Department platform in a secure way, they are actually giving the attacker full access to their Google account.

The targets of this campaign, which ran for months, were prominent academics and critics of Russia, and was set up with so much attention for details and skill that the researchers suspect the attacker was a Russian state-sponsored entity.

Be safe, avoid app passwords

Now that this bypass is known, we can expect more social engineering attacks leveraging app-specific passwords in the future. Here’s how to stay safe:

• Only use app passwords when absolutely necessary. If you have the opportunity to change to apps and devices that support more secure sign-in methods, make that switch.
• The advice to enable MFA still stands strong, but not all MFA is created equal. Authenticator apps (like Google Authenticator) or hardware security keys (FIDO2/WebAuthn) are more resistant to attacks than SMS-based codes, let alone app passwords.
• Regularly educate yourself and others about recognizing phishing attempts. Attackers often bypass MFA by tricking users into revealing credentials or app passwords through phishing.
• Keep an eye on unusual login attempts or suspicious behavior, such as logins from unfamiliar locations or devices. And limit those logins where possible.
• Regularly update your operating system and the apps you use to patch vulnerabilities that attackers might exploit. Enable automatic updates whenever possible so you don’t have to remember yourself.
• Use security software that can block malicious domains and recognize scams.

To clarify: Just because the header of an email says that it CCd various government email addresses does not mean that it actually did send a copy to those addresses. This should be trivial to forge, especially at the state-sponsored attacker level.

However were the target to use “Reply All”, it is handy that the State Department email addresses won’t bounce. (I personally dislike silent failure and I don’t configure my own email servers that way. The downside is that in that case you are allowing an attacker to iterate through “all” email addresses, probing for valid addresses. So you need some way of countering that.)

The number 4 was probably chosen to avoid going above a certain threshold, which might trigger alerts inside the State Department’s IT infrastructure and/or different behaviour in the handling of the email.

Generic advice:

• Be suspicious of any information garnered online that you cannot check against information in the real world.
• Be suspicious of unsolicited approaches online. And bear in mind the previous point. Of all the things you “know” about this contact, which are verifiable?
  You have to be suspicious because of all the things that you could check, you probably won’t unless you smell a rat.
• If you are a high-value target or likely to be targeted by a sophisticated attacker, consider compartmentalising (multiple devices, multiple accounts), so that even if one piece is compromised, some parts remain uncompromised.

Once again, the weakest point in this chain is the human. This is not a hack per se, just social engineering.

The problem is that we use and rely upon complex systems that are in many cases becoming ever more complex. It is not possible to expect the average person to know every possible way that they can be phished or socially engineered, as hackers keep discovering new methods.

While passkeys may provide a solution to some of this complexity, as long as we can log onto online accounts in some ‘different’ manner (such as through an alternative Google password), they will not be entirely secure. Our online identities are only as strong as the weakest link, whether it be the human, or an option that says ‘click here if you have forgotten your password’.

Yes. It’s (as usual) someone inside the bunker being persuaded to hand over the key to the door. The more attractive the contents of the bunker, the more effort an attacker might be willing to put into the persuasion.

Very true.

Google isn’t the only type of account that allows the user to set an “app password”, because there are still plenty of poorly-programmed apps / devices that can’t work with MFA. Email apps and IoT devices tend to be the main offenders. The former need full access to one’s mailbox and the latter typically wants to upload data to one’s cloud account or a network share or send logs via email.

For the user, my advice is don’t use app passwords at all if you can possibly avoid it.

Get rid of any apps that can’t function without an app password, or update to a version that can.

If any of your ‘smart’ devices are using an app password to be able to do something, check whether there are other ways to do it. If there aren’t, think very carefully about whether you really need the device to do that something, or replace it with a smarter device that doesn’t need app passwords.

And last but not least: delete app passwords from your accounts as soon as you no longer need them.

…and don’t ‘log into’ anything else “using your Google, Apple, Microsoft” accounts.

And from AI scammer posing as US Secretary of State Marco Rubio targets foreign ministers, US politicians - ABC News

The perpetrator copied a fake “@state.gov” email address on the messages

So either the perpetrators are the same, or knowledge of this “vulnerability” is spreading, or knowledge of it was already widely held among bad actors.

Time for the State Department to revisit?