The fastest way to get CISSP Certified. Join our bootcamp
The rise of multi-factor authentication (MFA) has gone a long way to improving our security posture. Even if an attacker successfully phishes your password, multi-factor authentication will stop most attackers in their tracks–if it’s enabled. Unfortunately, MFA is far from foolproof.
Recently, The Citizen Lab posted an interesting case study about an academic who was targeted by an advanced persistent threat (APT). With some careful trickery, the APT managed to bypass his MFA completely, using a feature designed for outdated security devices. Let’s dive in and see how they did it.
An innocent introduction
In May of 2025, Keir Giles received an email from a “U.S. State Department official”, requesting a consultation. This is normal in Giles’ line of work, so he overlooked some of the initial clues that something phishy was going on. The email he received came from a Gmail account, which is a red flag, but the CC line included four seemingly legitimate @state.gov email addresses, including one with the same name as the Gmail account.
It seems likely that the attackers added these false email addresses to provide fake credibility. The State Department’s email server seems to be configured to accept all incoming messages, even if the address doesn’t actually exist. It does not appear to send bounce responses when it receives a message for a fake @state.gov address.
The trap is set
Giles expressed interest in the consultation, and was then invited to “join our MS DoS Guest Tenant platform” for future meetings. The attackers asked him to create an account and sent through a PDF with instructions. The PDF appeared legitimate, guiding external Gmail users on how to set up an app-specific password for joining the MS DoS Guest Tenant.
It took him through his Google Account settings to an App passwords page. It asked him to create an app password for an app named “ms-state.gov”:
When he clicked “Create”, a password popped up:
The document told him to share this password with the US DoS administrators to complete his onboarding. When he did it, the attackers had access to his account and all of his work information. He’d been duped.
What went wrong?
As security experts, we may think that we are immune to phishing. Sure, Giles missed some red flags that we probably would have caught, but it’s still a very clever attack. The trick behind it was that all of the initial emails were innocuous and unhurried. Giles didn’t have his guard up, because this is normal in his kind of work. The real genius was in luring Giles to a Google security page that he was unfamiliar with.
If you read the App passwords page, it clearly says “App passwords help you sign in to your Google Account on older apps and services that don’t support modern security standards.” It tells you straight up that this is a password for “your Google Account”. It’s not an onboarding page that connects you to the DoS platform. With just this password and his email address, the attackers could log in to his account, bypassing MFA.
Unfortunately, setup pages like this are boring and we often phase out when going through the motions. Giles still wasn’t suspicious, so he just did what he was told. Adding in “ms-state.gov” doesn’t do anything meaningful, but it did make the process seem more credible. Giles had no idea that he was actually sending off his password to the attackers so that they could take control of his account.
An attack of this nature could trick many smart and security-aware people. That’s why it’s important to always take things slowly and be overly cautious. We need to remind our employees to look out for those little details, like the fact that it was a Gmail account that reached out to him, or that the App passwords page doesn’t do what the document says. Above all, we need to stress to everyone, if in doubt, ask! We would all prefer to deal with simple questions instead of a major security breach.
That’s it for this week. Stay tuned,
The DestCert team
The easiest and fastest way to pass the Security+ exam
Build Your Cybersecurity Foundation. Our team has helped thousands of professionals succeed with advanced certifications like CISSP and CCSP. Now we've taken that same proven and tailored it specifically for Security+!
Win a FREE Network+ Exam
Enter to win a $390 Network+ exam and launch your networking career!
Or share this with someone who might be interested.
Act fast—promotion ends August 18, 2025.
Prepare to Pass CCSP: Get the Right CCSP
APP
Studying for the CCSP? Big news! We’ve just added 1,000 brand-new questions to our CCSP Exam Prep App—giving you even more ways to test your knowledge and boost your confidence. Whether you're brushing up on cloud security concepts or getting serious about exam day, the updated app is packed with fresh content that reflects the latest exam trends. Study anytime, anywhere, and get one step closer to becoming CCSP certified.
Free CCSP Data Center Design Mini MasterClass
If you’re interested in cloud security, check out our new FREE Mini MasterClass. It digs into data center design.
It’s based on the CCSP certification requirements, but even if you’re not thinking of getting certified, what you learn is very useful in practice if you ever need to deal with data centers.
