{"id":4131,"date":"2021-11-29T12:33:06","date_gmt":"2021-11-29T12:33:06","guid":{"rendered":"https:\/\/fortgale.com\/news\/?p=4131"},"modified":"2026-06-08T23:14:35","modified_gmt":"2026-06-08T23:14:35","slug":"apt28-gmail-phishing","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/emerging-threats\/apt28-gmail-phishing\/","title":{"rendered":"Gmail phishing delivered by APT28"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">Google&#8217;s security team (<em><a href=\"https:\/\/blog.google\/threat-analysis-group\/\">Threat Analysis Group<\/a><\/em>) has identified a large-scale <strong>phishing campaign<\/strong> targeting approximately <strong>12 000 Gmail accounts<\/strong>. According to analysis conducted by the research team, the attack is attributed to the <strong>APT28<\/strong> group (<strong>Fancy Bear<\/strong>), which operates, according to public analysis, on behalf of the Russian government.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The objective of the attack was to steal credentials and\/or session tokens for mailbox access. <br>The attackers simulated alleged compromise notifications (claiming these were government-sponsored attacks) and requested users to update their passwords. Example email:<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img decoding=\"async\" width=\"636\" height=\"170\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/11\/image-22.png\" alt=\"\" class=\"wp-image-4134\" srcset=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2021\/11\/image-22.png 636w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2021\/11\/image-22-300x80.png 300w\" sizes=\"(max-width: 636px) 100vw, 636px\" loading=\"lazy\" \/><figcaption><strong>Figure 1: Phishing email text.<\/strong><\/figcaption><\/figure><\/div>\n\n\n\n<p class=\"has-text-align-left wp-block-paragraph\">The URL used by APT28 for credential harvesting follows this structure:<br><\/p>\n\n\n\n<p class=\"has-text-align-center wp-block-paragraph\"><em>attacker_subdomain[.]hosting_provider.tld\/?usr=target@gmail.com&amp;b=data<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The phishing page, appearing identical to a Gmail login page, employs different fonts compared to the legitimate original:<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img decoding=\"async\" width=\"773\" height=\"338\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/11\/image-25.png\" alt=\"\" class=\"wp-image-4149\" srcset=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2021\/11\/image-25.png 773w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2021\/11\/image-25-300x131.png 300w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2021\/11\/image-25-768x336.png 768w\" sizes=\"(max-width: 773px) 100vw, 773px\" loading=\"lazy\" \/><figcaption><strong>Fig. 2 &#8211; Phishing Page<\/strong><\/figcaption><\/figure><\/div>\n\n\n\n<p class=\"wp-block-paragraph\">Phishing messages were dispatched from compromised mail servers, the majority of which passed <strong>SPF<\/strong> (Sender Policy Framework) validation. We tracked this campaign using <a href=\"https:\/\/fortgale.com\/en\/cyber-threat-intelligence\/\">Cyber Threat Intelligence<\/a> methodologies to correlate infrastructure patterns and sender reputation signals across multiple vectors.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The regions most affected by this particular campaign include the United States, United Kingdom, and India. Other notable regions include Canada, Russia, Brazil, and several European Union member states.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img decoding=\"async\" width=\"547\" height=\"345\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/11\/image-23.png\" alt=\"\" class=\"wp-image-4137\" srcset=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2021\/11\/image-23.png 547w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2021\/11\/image-23-300x189.png 300w\" sizes=\"(max-width: 547px) 100vw, 547px\" loading=\"lazy\" \/><figcaption><strong>Fig. 3 &#8211; Target distribution<\/strong><\/figcaption><\/figure><\/div>\n\n\n\n<p class=\"wp-block-paragraph\">This campaign demonstrates the continued reliance of state-sponsored threat actors on credential harvesting via phishing as a primary initial access vector, particularly when targeting high-value accounts across geographically dispersed regions. Organizations should maintain heightened scrutiny of authentication requests and implement multi-factor authentication controls to mitigate the impact of compromised credentials.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>APT28 (Fancy Bear) Gmail phishing operation: lookalike domains, OAuth abuse, credential harvesting and target profiles consistent with Russian GRU TTPs.<\/p>\n","protected":false},"author":3,"featured_media":4137,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[1575,33,3333,1577,1579,3331,1581,3332,1441],"class_list":["post-4131","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-emerging-threats","tag-apt28-it","tag-apt28","tag-credential-harvesting","tag-fancy-bear-it","tag-gmail-it","tag-gmail-phishing","tag-google-it","tag-oauth-abuse","tag-phishing-it"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/4131","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=4131"}],"version-history":[{"count":10,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/4131\/revisions"}],"predecessor-version":[{"id":9918,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/4131\/revisions\/9918"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media\/4137"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=4131"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=4131"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=4131"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}