On July 8, 2026, members of the Сivic Network OPORA received a phishing email titled “Demand to Remove Plagiarism,” purportedly from the legal department of the well-known Ukrainian media outlet “GORDON”. The email was part of a carefully prepared campaign aimed at stealing access to the organization’s staff Google mailboxes.
A key feature of this attack is that the threat actors did not steal passwords in the classic sense. Instead, they used an OAuth consent phishing technique: the victim was persuaded to authorize a fraudulent application through Google’s genuine sign-in mechanism, granting the attackers a persistent access token to Gmail with permissions to read, send, and delete emails. Such a token is not invalidated by a password change and remains valid until the victim manually revokes the permission.
The investigation by Digital Security Lab Ukraine uncovered a well-planned, multi-layered infrastructure: a lookalike sender domain with fully configured email authentication (passing SPF, DKIM, and DMARC), an intermediate filtering domain using hCaptcha to screen out automated scanners, a fake Google Drive page built in React, and a chain of domains for generating and intercepting the OAuth token. All domains were registered on the same day – two weeks before the attack – through four different registrars, indicating deliberate preparation to resist detection and takedown.
This campaign mirrors the tactics documented by CyberHUB-AM in March 2026 regarding a spear-phishing campaign targeting Armenian civil society (https://cyberhub.am/en/blog/2026/03/05/alert-spear-phishing-campaign-targeting-armenian-civil-society/), and fits into a broader trend of attacks on human rights and civil society organizations in the region.
Read the full investigation report here.
Our analysis points to an organized, resourceful, and well-prepared actor:
- Careful infrastructure preparation over two weeks, with diversified registrars and CDN fronting.
- Legitimate mail authentication (M365 + SPF/DKIM/DMARC) to ensure Inbox delivery.
- Well-thought-out social engineering incorporating real details (a genuine 2020 article, a real media outlet used as cover).
- A technically more sophisticated OAuth-consent vector that bypasses two-factor authentication and password changes.
- Country-based filtering oriented toward Ukrainian users.
The similarities with the campaign documented by CyberHUB-AM in Armenia may point to a broader regional pattern of attacks against civil society organizations, although we do not yet have enough evidence to confirm a direct connection between the campaigns.
Based on the available data, we are not yet able to attribute this campaign to a specific threat group. Attribution requires further investigation.
Recommendations
For personal Google accounts:
- Review your Google account settings (personal and corporate). Open myaccount.google.com/permissions and remove unknown applications.
- Check filter and mail-forwarding rules in your Gmail settings.
- Set up Google Advanced Protection using security keys.
For organizations with Google Workspace:
- Review Connected Apps in the Google Workspace Admin Console.
- Enable App Access Control (Security -> API Controls): restrict OAuth access for third-party applications, allowing only trusted ones.
- Disable mail forwarding organization-wide or for specific Organizational Units.
- Set up Google Advanced Protection for high-risk members of the organization.