Russian Hackers Bypass Gmail MFA in Targeted Academic Attacks

Between April and June 2025, a Russian state-sponsored hacking group identified as UNC6293, linked to APT29 (also known as Cozy Bear), conducted a sophisticated phishing campaign targeting prominent academics and critics of Russia by impersonating the U.S. Department of State. The attackers used personalized emails and fake meeting invites, including spoofed official State Department email addresses, to build trust with victims and persuade them to create and share Google App Passwords, which bypass Google's multi-factor authentication (MFA). These 16-character app passwords allow less secure apps to access Gmail accounts without triggering MFA, enabling hackers to gain long-term undetected access to victims' email accounts. Google confirmed the widespread nature of the attack and urged all Gmail users to strengthen their security settings to prevent unauthorized access. The campaign exploited the configuration of the State Department's email server, which does not bounce invalid addresses, to enhance the credibility of the phishing emails. This attack highlights the increasing sophistication of cyber threats against secure email platforms and the importance of vigilant security practices.