One of Eastern Europe’s most persistent cyber-espionage groups has significantly expanded its operations, introducing a new wave of phishing attacks specifically targeting Gmail users.
Security researchers have observed the UNC1151 threat actor – widely known as Ghostwriter – conducting large-scale credential theft campaigns designed not only to harvest usernames and passwords but also to capture two-factor authentication (2FA) codes. The development marks a notable escalation in the group’s capabilities and significantly increases the risk of successful account takeovers.
The findings were detailed by Poland’s national cybersecurity incident response team, CERT Polska, which has monitored the group’s activities for years. While UNC1151 has historically targeted users of local Polish email providers, researchers report that since March 2026 the group has increasingly focused on Gmail accounts, launching phishing operations almost daily.
The campaign demonstrates how cybercriminals and state-aligned threat actors continue adapting their tactics to overcome modern security controls and gain access to high-value targets.
Why This Campaign Matters
For many organizations and individuals, Gmail serves as the gateway to an entire digital ecosystem.
Compromising a Gmail account can provide attackers with access to:
- Confidential communications
- Contact networks
- Cloud-stored documents
- Business correspondence
- Password recovery mechanisms
- Social media accounts
- Collaboration platforms
- Government and institutional resources
Unlike traditional phishing campaigns that stop at stealing passwords, UNC1151’s latest operation is designed to intercept authentication codes as victims attempt to log in.
This effectively neutralizes one of the most widely adopted security protections used today.
Who Is Being Targeted?
According to investigators, the targeting scope remains exceptionally broad.
Observed targets include:
- Government officials
- Political figures
- Journalists
- Researchers
- Public administration personnel
- Law enforcement employees
- Civil society representatives
- Individuals connected to these groups through professional or personal relationships
Researchers also noted that attackers frequently attempt to guess email addresses, meaning phishing emails can sometimes reach unintended recipients who simply share similar names with the intended target.
Campaigns have additionally targeted specific professional communities, including translators and court experts.
How the Attack Works
The attack chain follows a carefully crafted social engineering process.
Victims receive emails impersonating Gmail security notifications. The messages typically claim:
- Suspicious account activity
- Unauthorized login attempts
- Security violations
- Account verification requirements
- Imminent account suspension
The emails create urgency by warning users that their accounts may be blocked or permanently disabled unless immediate action is taken.
Recipients are then encouraged to click a link directing them to a fake Gmail login page.
At first glance, the phishing site closely resembles Google’s legitimate authentication portal.
Once victims enter their email address and password, the stolen credentials are immediately transmitted to the attackers.
However, the most concerning feature appears in the next stage.
If the account is protected by multi-factor authentication, the phishing page presents an additional prompt requesting the verification code.
This allows attackers to harvest:
- SMS-based one-time passwords
- Authentication application codes
- Temporary verification tokens
The captured information can then be used in real time to access the victim’s account.
Infrastructure Designed for Scale
The campaign relies on a constantly changing infrastructure.
Researchers observed threat actors rapidly deploying phishing pages using:
- Newly registered domains
- Hosting abuse platforms
- Compromised websites
- Dynamic phishing subdomains
Many malicious domains utilize extensions such as:
- .digital
- .icu
- .top
The attackers have also abused hosting services that allow users to create custom subdomains, making detection and takedown efforts more challenging.
Another notable tactic involves hosting phishing pages on legitimate websites that were previously compromised through exploited vulnerabilities.
Because the primary website content often remains unchanged, site owners may remain unaware that malicious content is being hosted within their infrastructure.
A Growing Threat Beyond Poland
Although the campaign has primarily been observed targeting Polish-speaking users, its tactics are globally relevant.
The phishing methodology requires no region-specific infrastructure and can easily be adapted to target users in Europe, the Middle East, Africa, Asia, or the Americas.
Organizations worldwide should view this campaign as an indicator of broader trends in modern phishing operations:
- More convincing impersonation techniques
- Increased use of legitimate services
- Real-time credential interception
- Multi-factor authentication bypass attempts
- Continuous infrastructure rotation
For enterprises undergoing digital transformation, these developments highlight the importance of combining technology controls with user education and proactive threat monitoring.
Organizations seeking advanced phishing defense strategies should strengthen their cybersecurity posture through continuous monitoring, user awareness initiatives, and identity protection programs.
Industry Implications
The UNC1151 campaign demonstrates a critical reality facing defenders today:
Multi-factor authentication remains essential, but it is no longer sufficient when users can be tricked into providing authentication codes directly to attackers.
Cybersecurity teams must increasingly adopt phishing-resistant authentication methods such as:
- Passkeys
- Hardware security keys
- FIDO2 authentication
- Conditional access controls
- Risk-based authentication
The incident also underscores the growing importance of cyber awareness training. Human error remains one of the most exploited attack vectors despite advances in security technology.
Organizations investing in regular security awareness training and cybersecurity education programs are often better positioned to detect and stop sophisticated phishing attempts before damage occurs.
10 Recommended Actions for Security Teams
1. Deploy Phishing-Resistant MFA
Move beyond SMS and traditional OTP-based authentication wherever possible.
2. Adopt Passkeys and Hardware Tokens
Implement FIDO2-compatible authentication mechanisms for privileged accounts.
3. Increase Email Security Monitoring
Enhance detection capabilities for impersonation and credential-harvesting campaigns.
4. Train Users to Verify URLs
Encourage employees to inspect domains before entering credentials.
5. Implement Conditional Access Policies
Restrict account access based on device trust, geography, and risk indicators.
6. Monitor for Credential Exposure
Use threat intelligence and dark web monitoring services to identify compromised accounts.
7. Conduct Regular Phishing Simulations
Test employee readiness through controlled phishing exercises.
8. Strengthen Incident Response Procedures
Ensure rapid containment plans exist for account takeover incidents.
9. Audit Third-Party Integrations
Review connected applications and delegated permissions within cloud environments.
10. Establish Continuous Security Awareness Programs
Security education should be an ongoing process rather than a one-time event.
For additional insights into evolving phishing threats, identity security, and cyber defense trends, readers can explore related cybersecurity coverage published on CyberCory and industry security advisories.
Conclusion
The latest Gmail-focused operation attributed to UNC1151 represents a significant evolution in phishing-based account compromise techniques. By combining convincing Gmail impersonation with real-time interception of two-factor authentication codes, the group has demonstrated how attackers continue adapting to bypass modern security controls.
While the campaign currently appears concentrated around Polish targets, the techniques employed are universally applicable and should serve as a warning for organizations worldwide.
As phishing attacks become increasingly sophisticated, cybersecurity leaders must look beyond passwords and traditional MFA, embracing phishing-resistant authentication, continuous monitoring, and comprehensive security awareness programs to stay ahead of evolving threats.
Information analyzed and independently reported using findings released by CERT Polska’s threat monitoring and incident response teams.
