The Threat
In the past few months, Google has warned that state-sponsored hackers, including the Russian-linked UNC6293 and Cozy Bear (APT29), have launched advanced phishing campaigns targeting Gmail users (atomicmail.io, as.com). These attackers are now bypassing traditional defences—even two-factor authentication—by mimicking official Google alerts such as:
- Fake legal subpoenas or “security threats”
- Emails signed with valid DKIM tokens and sent from no-reply@google.com
- Links that redirect to credential-harvesting sites hosted on sites.google.com (atomicmail.io)
These highly convincing tactics make even technical and security-conscious users vulnerable.
Why This Matters for Businesses
- Credential theft can lead to full account takeover, exposing sensitive business data.
- Supply chain risk: compromised Gmail accounts can be leveraged to hack clients and partners.
- Compliance breaches: stolen data can result in GDPR, NDPR, or other regulatory violations.
Recommended Defences
- Adopt passkeys and passwordless login
- Google is pushing Passkey adoption to replace vulnerable traditional passwords (atomicmail.io, m.economictimes.com).
- Enforce 2-step verification (2SV) and app password hygiene
- Remove unused app passwords. Educate staff to disable them when unused.
- Perform regular security drills
- Simulated phishing campaigns and header analysis training.
- Teach employees to check URLs meticulously and avoid hovering over suspicious links.
- Audit account activity continuously
- Regularly review Gmail “last account activity” logs and remove unauthorized devices.
- Use advanced protection for high-value accounts
- Enroll executives and IT admins in Google’s Advanced Protection Program.
Tools & Tech You Can Integrate
- SIEM alerts: Automate suspicious login events from Google Workspace.
- Endpoint protection: Install tools that flag redirects from trusted domains like sites.google.com.
- Training modules: Integrate phishing awareness into your LMS or knowledge portal.
Real-World Case Highlight
Senior fellow Keir Giles of Chatham House fell victim after attackers impersonated U.S. government officials over weeks—demonstrating how even seasoned professionals can be compromised, the CEO of Instagram Adam Mosseri almost feel to the same scheme recently. (thetimes.co.uk, atomicmail.io, nypost.com).
✨ How Velvot Can Help
We help enterprise clients implement:
- Passwordless and MFA solutions (Passkeys, hardware tokens)
- Regular phishing simulations and employee drills
- Security audits and endpoint monitoring
- Custom training modules, tailored to industry-specific risks and regulatory compliance
This isn’t just another phishing wave—it’s a wake-up call. Businesses must assume trusted channels can be compromised, and implement stronger authentication, continuous defence, and proactive training to secure their people, data, and reputation.
Book a free consultation or email us at gtm@velvot.com to get started.
Don’t wait for a breach — protect your business today.
