Advanced Phishing Evolution: UNC1151 Targets Gmail with Real-Time 2FA Interception

The threat actor known as Ghostwriter (UNC1151) has significantly upgraded its operational capabilities, moving beyond localized phishing to execute sophisticated, high-volume campaigns targeting Google Mail users. According to a recent technical analysis by CERT Polska, the group is now deploying highly convincing counterfeit Gmail login interfaces designed to bypass traditional multi-factor authentication (MFA).

Historically, UNC1151 has maintained a narrow focus on Polish-specific email providers such as Onet, Wirtualna Polska, and Interia. However, starting in March 2026, there has been a strategic shift toward broad-spectrum Gmail targeting, signaling an intent to expand their influence across a wider demographic of high-value targets.

The Anatomy of the Attack: Social Engineering and Delivery

The campaign relies on professionally crafted, Polish-language emails that leverage psychological triggers—specifically urgency and fear. Common themes include notifications of “suspicious activity” or “imminent account suspension.” To maximize reach while minimizing the footprint for security researchers, the attackers frequently utilize the BCC (Blind Carbon Copy) mechanism, allowing them to blast large batches of recipients without exposing the recipient list.

Delivery methods vary between newly registered Gmail accounts and compromised legitimate mailboxes. In the latter case, attackers often manipulate the “Display Name” to impersonate trusted entities, a tactic designed to bypass the initial skepticism of even cautious users. The high linguistic quality of these messages removes the typical “broken English” red flags that many users have been trained to look for.

Technical Breakthrough: Real-Time 2FA Harvesting

The most critical technical advancement in these recent campaigns is the ability to intercept Two-Factor Authentication (2FA) codes in real-time. The phishing workflow is no longer a simple credential harvester; it is a dynamic proxy for the authentication process.

Once a victim enters their email and password into the fraudulent site, the backend infrastructure performs one of two actions:

• Automated Login: The attacker’s server immediately uses the stolen credentials to attempt a live login to the genuine Google service.
• Active Prompting: The fake interface presents a secondary screen, requesting the one-time password (OTP) generated by an SMS or an authenticator app (such as Google Authenticator).

By capturing these codes instantly, UNC1151 can bypass the very security layers designed to protect users, effectively neutralizing standard TOTP (Time-based One-Time Password) and SMS-based protections.

Infrastructure and Domain Churn

To evade reputation-based filtering and domain blacklisting, UNC1151 utilizes a highly agile infrastructure characterized by rapid “domain churn.” Their ecosystem includes:

• Low-Cost TLDs: Frequent use of inexpensive top-level domains such as .icu, .digital, and .top.
• Subdomain Abuse: Leveraging permissive cloud hosting platforms, specifically *.netlify.app, to host malicious scripts.
• Compromised Legitimate Sites: Exploiting vulnerabilities in small, often under-secured Polish organizational websites to host phishing pages, making the URL appear more trustworthy.

Observed domains include mailverify.digital, verify-check.digital, and monitoring-google-konta.netlify.app. CERT Polska notes that these assets are often rotated on a daily basis to stay ahead of takedown efforts.

Targeting Profiles and Strategic Intent

The threat actor’s selection process is both broad and surgically precise. Primary targets include:

• Political actors and public officials.
• Journalists and researchers.
• Law enforcement personnel.
• Professionals in specific niches, such as legal experts and translators.

In some instances, the group engages in “spray and pray” tactics, guessing email addresses based on common name patterns, which results in collateral damage to unrelated individuals.

Defensive Recommendations

The evolution of UNC1151 highlights a fundamental truth in modern cybersecurity: not all 2FA is created equal. Standard SMS and app-based OTPs are vulnerable to real-time interception via proxy-based phishing.

For Organizations:

• Implement Phishing-Resistant MFA: Transition to hardware security keys (e.g., YubiKey) utilizing the FIDO2/WebAuthn standard. These are cryptographically tied to the origin domain and cannot be phished by fake sites.
• Domain Monitoring: Deploy automated workflows to detect and report lookalike or typosquatting domains.
• Anomaly Detection: Monitor for unusual login patterns, such as “impossible travel” or successful logins followed immediately by suspicious configuration changes.

For Users:

• Inspect the URL: Always verify that the domain in the address bar is exactly accounts.google.com before entering any credentials.
• Be Skeptical of Urgency: Treat any email demanding immediate action regarding account security with extreme caution.
• Recognize the 2FA Trap: If a website asks for a 2FA code immediately after you enter your password, treat it as a major red flag.