On July 8, 2026, members of the Сivic Network OPORA received a phishing email titled “Demand to Remove Plagiarism,” purportedly from the legal department of the well-known Ukrainian media outlet “GORDON”. The email was part of a carefully prepared campaign aimed at stealing access to the organization’s staff Google mailboxes.

A key feature of this attack is that the threat actors did not steal passwords in the classic sense. Instead, they used an OAuth consent phishing technique: the victim was persuaded to authorize a fraudulent application through Google’s genuine sign-in mechanism, granting the attackers a persistent access token to Gmail with permissions to read, send, and delete emails. Such a token is not invalidated by a password change and remains valid until the victim manually revokes the permission.

The investigation by Digital Security Lab Ukraine uncovered a well-planned, multi-layered infrastructure: a lookalike sender domain with fully configured email authentication (passing SPF, DKIM, and DMARC), an intermediate filtering domain using hCaptcha to screen out automated scanners, a fake Google Drive page built in React, and a chain of domains for generating and intercepting the OAuth token. All domains were registered on the same day – two weeks before the attack – through four different registrars, indicating deliberate preparation to resist detection and takedown.

This campaign mirrors the tactics documented by CyberHUB-AM in March 2026 regarding a spear-phishing campaign targeting Armenian civil society (https://cyberhub.am/en/blog/2026/03/05/alert-spear-phishing-campaign-targeting-armenian-civil-society/), and fits into a broader trend of attacks on human rights and civil society organizations in the region.

Read the full investigation report here.

Our analysis points to an organized, resourceful, and well-prepared actor:

  • Careful infrastructure preparation over two weeks, with diversified registrars and CDN fronting.
  • Legitimate mail authentication (M365 + SPF/DKIM/DMARC) to ensure Inbox delivery.
  • Well-thought-out social engineering incorporating real details (a genuine 2020 article, a real media outlet used as cover).
  • A technically more sophisticated OAuth-consent vector that bypasses two-factor authentication and password changes.
  • Country-based filtering oriented toward Ukrainian users.

The similarities with the campaign documented by CyberHUB-AM in Armenia may point to a broader regional pattern of attacks against civil society organizations, although we do not yet have enough evidence to confirm a direct connection between the campaigns.

Based on the available data, we are not yet able to attribute this campaign to a specific threat group. Attribution requires further investigation.

Recommendations

For personal Google accounts:

  • Review your Google account settings (personal and corporate). Open myaccount.google.com/permissions and remove unknown applications.
  • Check filter and mail-forwarding rules in your Gmail settings.
  • Set up Google Advanced Protection using security keys.

For organizations with Google Workspace:

  • Review Connected Apps in the Google Workspace Admin Console.
  • Enable App Access Control (Security -> API Controls): restrict OAuth access for third-party applications, allowing only trusted ones.
  • Disable mail forwarding organization-wide or for specific Organizational Units.
  • Set up Google Advanced Protection for high-risk members of the organization.