APT29 Tricks Email Users with Phishing
APT29, a Russian-linked threat group, tricks email users with a clever phishing campaign. It targets academics and critics since April 2025. For example, it exploits Gmail app passwords to bypass 2FA. This attack threatens secure communications globally.
How the Attack Begins
Attackers build rapport over weeks with tailored lures. They send fake meeting invites with fake “@state.gov” addresses. Additionally, they urge victims to create app passwords. Consequently, victims unknowingly grant persistent access.
Exploitation of App Passwords
The campaign uses app passwords to sidestep 2FA. Victims share a 16-digit code after fake setup steps. For instance, attackers impersonate the U.S. Department of State. As a result, they access mailboxes undetected.
Targeting and Tactics
The group focuses on prominent figures critical of Russia. It avoids urgency to avoid suspicion. A report notes use of residential proxies and VPS servers. Therefore, it evades detection with meticulous planning.
Impact on Victims
Victims lose control of their email accounts. Attackers read correspondence and steal data. Moreover, the campaign mimics official sources for credibility. This heightens risks to personal and diplomatic security.
Broader Cyber Threats
APT29 also uses device join phishing for Microsoft 365. It tricks users into sharing OAuth codes. For example, malicious links register attacker devices. As a result, account hijacking becomes more common.
Challenges for Defense
The slow approach complicates spotting phishing. Proxies hide attacker locations. Additionally, fake emails blend with legit ones. This demands advanced monitoring to protect users.
Preventing APT29 Attacks
To stop APT29, avoid sharing app passwords with anyone. For example, verify email requests with official sources. Enable strict 2FA settings and monitor account activity. Additionally, train staff on phishing signs. These steps help safeguard email security.
Sleep well, we got you covered.
