This threat involves a sophisticated phishing campaign attributed to the Russian Advanced Persistent Threat group APT29, also known as Cozy Bear. The campaign exploits Gmail app passwords to bypass two-factor authentication (2FA) protections. App passwords are special 16-character codes generated by Google to allow less secure apps or devices to access a Gmail account without requiring the standard 2FA verification. APT29's campaign targets users by phishing for these app passwords, which effectively circumvents the additional security layer provided by 2FA. By obtaining these app passwords, attackers gain persistent access to victims' Gmail accounts, enabling them to read emails, exfiltrate sensitive information, and potentially use the compromised accounts for further lateral movement or spear-phishing within organizations. This method is particularly insidious because it leverages a legitimate Google security feature designed to improve usability but inadvertently creates an attack vector when combined with phishing. The campaign is targeted, indicating that APT29 is selecting high-value individuals or organizations, likely those with strategic or intelligence value. Although no specific affected versions or exploits in the wild are reported, the threat is classified as high severity due to the potential for significant compromise of confidentiality and integrity of communications. The campaign was reported recently in June 2025, with credible sources such as The Hacker News and corroborated by InfoSec community discussions, albeit limited in volume. This attack vector highlights the evolving tactics of APT groups to bypass traditional security controls by exploiting user behavior and security feature nuances rather than software vulnerabilities alone.

For European organizations, the impact of this threat can be substantial. Compromise of Gmail accounts through stolen app passwords can lead to unauthorized access to sensitive corporate communications, intellectual property, and personal data of employees and executives. This can result in espionage, data leaks, and disruption of business operations. Given that Gmail is widely used across Europe for both personal and professional communication, the scope of potential victims is broad. Organizations in sectors such as government, defense, critical infrastructure, finance, and technology are particularly at risk due to the strategic value of their information. The bypass of 2FA undermines a critical security control, increasing the likelihood of successful account takeovers. Additionally, compromised accounts can be leveraged to launch further phishing attacks internally or externally, amplifying the threat. The reputational damage and regulatory consequences under GDPR for data breaches involving personal data could also be severe. The campaign's targeted nature suggests that high-profile European entities could be specifically selected for espionage or disruption purposes, increasing the risk to national security and economic interests.

To mitigate this threat, European organizations should implement the following specific measures beyond generic phishing awareness: 1) Enforce the use of security keys (hardware-based 2FA) instead of app passwords wherever possible, as security keys are not bypassed by app password exploitation. 2) Disable or restrict the use of app passwords in Google Workspace environments through administrative policies, especially for high-risk users. 3) Deploy advanced email filtering and anti-phishing solutions that can detect and quarantine phishing attempts targeting app password theft. 4) Conduct targeted phishing simulations that include scenarios involving app password requests to raise user awareness of this specific attack vector. 5) Monitor Google Workspace logs for unusual app password generation or usage patterns, and implement alerting for suspicious activity such as new app password creation or logins from unfamiliar devices or locations. 6) Encourage users to regularly review and revoke unused app passwords. 7) Integrate threat intelligence feeds to identify indicators of compromise related to APT29 campaigns and adjust defenses accordingly. 8) Implement strict access controls and network segmentation to limit lateral movement if an account is compromised. 9) Provide incident response teams with playbooks specific to account compromise via app password phishing to enable rapid containment and remediation.