Friday 26 June 2026 18:51:37 GMT+02:00

Netcrook

HomeManifesto
News
Corporate Security IncidentsCloud, SaaS & Identity SecurityIndustrial Cybersecurity & Critical InfrastructureCyber Intelligence, TrendsAI Security & Agentic SystemsCyber Intelligence & Threat TrendsCyber WarfareCyber Warfare & Nation-State OperationsCyber CriminalityBreaches & Data LeaksCybercrimeMalware & BotnetsRansomware & ExtortionSecurity Awareness & Social EngineeringLegal PolicyLegal, Policy & Government CybersecurityPrivacy, Regulation & ComplianceTechnology, InnovationTechnology, Innovation & Digital InfrastructureVulnerabilities Patch ManagementResearch, Exploits & Offensive SecurityVulnerabilities & Patch Management
Techcrook
Tutte le tecnologieIdentita e accessoFirewall e reteBackup e archiviazioneEnergia e continuitaPrivacy e sicurezza fisicaLaboratorio e prototipazioneStampa e tracciabilitaTecnologia quotidiana
Geocrook
AfricaAsiaEuropeMiddle EastNorth AmericaOceaniaSouth America
WikicrookTeamAppContact
EnglishItalianoArabic
Security Awareness & Social Engineering

A Gmail Phish That Hunts for the Second Factor, Not Just the Password

16 June 2026 12:42Security Awareness & Social EngineeringNorth America / USAPATCHKNIGHT

A reported UNC1151 Ghostwriter campaign puts a familiar weak point back under the microscope: code-based 2FA can still be trapped by a convincing fake login flow.

When a phishing kit is built to capture both a password and a one-time code, the target is not just an inbox. It is the trust chain behind the account. In this case, the reported shift toward Gmail users matters because email remains the recovery hub for countless other services, from banking to social platforms to internal work tools.

The attribution to UNC1151, also tracked as Ghostwriter, should be treated carefully. The label is part of the available information, not independently verified here. What is technically important is the method: a credential-harvesting lure aimed at users who rely on a second factor that can be manually typed into a fake login page.

Fast Facts

  • The campaign is described as targeting Gmail users.
  • The lure is reported to seek 2FA credentials, not only passwords.
  • The activity is said to have begun in March 2026.
  • Earlier targets named in the coverage include Onet, Wirtualna Polska, and Interia.
  • Phishing-resistant options like passkeys and security keys are designed to block this kind of relay attack.

Why this kind of phish still works

The core weakness is simple: a code that a human can type can also be relayed by an impostor. NIST classifies manually entered one-time passwords as not phishing-resistant because an attacker can impersonate the verifier and collect the code in real time. That is the difference between ordinary 2FA and authentication that is built to resist phishing.

From a defender’s perspective, the attack path is familiar. A user lands on a lookalike sign-in page, enters a password, and then types in a verification code. If the attacker is relaying the session live, the code may be enough to complete the login on the real service. The available information does not prove that this specific campaign succeeded, but it does highlight the risk profile of code-based 2FA.

Google’s guidance points users toward security keys and passkeys as the strongest protection against phishing for Google accounts. That matters because these methods bind authentication to the legitimate service in a way a fake page cannot easily replay. For high-risk users, the practical lesson is not simply to “enable 2FA,” but to choose a phishing-resistant form of it.

The broader defensive concern is downstream access. If a mailbox is compromised, an attacker may be able to read messages, monitor resets, and use the account as a launch point for further impersonation. That is why email compromise is often an access problem, not just a privacy problem.

At the time of writing, public information has not fully established the technical root cause, the complete scope of affected users, or whether any downstream systems were compromised. The available evidence supports a risk analysis, not a definitive claim of successful theft.

Conclusion

The lesson is uncomfortable but clear: “2FA enabled” is not always the same as “phishing resistant.” Attackers do not need to defeat every control if they can trick a user into handing over a code in real time. For anyone protecting a valuable inbox, the real upgrade is moving from typed codes to cryptographic login methods that a fake site cannot reuse.

TECHCROOK

hardware security key: A small USB, NFC, or Bluetooth authenticator that supports phishing-resistant login for compatible accounts and services. It is a practical upgrade for email, password managers, and other high-value accounts because it avoids typing one-time codes into a webpage. Keep a backup key stored separately in case the primary device is lost or damaged.

Scheda Techcrook: hardware security key

WIKICROOK

  • Phishing: A social engineering attack that impersonates a trusted service to steal credentials or codes.
  • 2FA: Two-factor authentication, where a second proof is required after a password.
  • OTP: One-time password, a short-lived code often used as a second authentication factor.
  • Passkey: A phishing-resistant login credential that uses cryptographic keys instead of shared secrets.
  • Security key: A hardware authenticator that helps prove identity without typing a reusable code.
PATCHKNIGHT
AuthorPATCHKNIGHT

Security Awareness & Social Engineering