Gmail phishing delivered by APT28

Google’s security team (Threat Analysis Group) has identified a large-scale phishing campaign targeting approximately 12 000 Gmail accounts. According to analysis conducted by the research team, the attack is attributed to the APT28 group (Fancy Bear), which operates, according to public analysis, on behalf of the Russian government.

The objective of the attack was to steal credentials and/or session tokens for mailbox access.
The attackers simulated alleged compromise notifications (claiming these were government-sponsored attacks) and requested users to update their passwords. Example email:

The URL used by APT28 for credential harvesting follows this structure:

attacker_subdomain[.]hosting_provider.tld/?usr=target@gmail.com&b=data

The phishing page, appearing identical to a Gmail login page, employs different fonts compared to the legitimate original:

Phishing messages were dispatched from compromised mail servers, the majority of which passed SPF (Sender Policy Framework) validation. We tracked this campaign using Cyber Threat Intelligence methodologies to correlate infrastructure patterns and sender reputation signals across multiple vectors.

The regions most affected by this particular campaign include the United States, United Kingdom, and India. Other notable regions include Canada, Russia, Brazil, and several European Union member states.

This campaign demonstrates the continued reliance of state-sponsored threat actors on credential harvesting via phishing as a primary initial access vector, particularly when targeting high-value accounts across geographically dispersed regions. Organizations should maintain heightened scrutiny of authentication requests and implement multi-factor authentication controls to mitigate the impact of compromised credentials.