Phishing Campaign Against “Civil Network OPORA” – Gmail Account Takeover via OAuth

Investigation by Digital Security Lab Ukraine

Executive Summary

On July 8, 2026, members of the civic network “OPORA” received a phishing email titled “Demand to Remove Plagiarism,” purportedly from the legal department of the well-known Ukrainian media outlet “GORDON”. The email was part of a carefully prepared campaign aimed at stealing access to the organization’s staff Google mailboxes.

A key feature of this attack is that the threat actors did not steal passwords in the classic sense. Instead, they used an OAuth consent phishing technique: the victim was persuaded to authorize a fraudulent application through Google’s genuine sign-in mechanism, granting the attackers a persistent access token to Gmail with permissions to read, send, and delete emails. Such a token is not invalidated by a password change and remains valid until the victim manually revokes the permission.

The investigation uncovered a well-planned, multi-layered infrastructure: a lookalike sender domain with fully configured email authentication (passing SPF, DKIM, and DMARC), an intermediate filtering domain using hCaptcha to screen out automated scanners, a fake Google Drive page built in React, and a chain of domains for generating and intercepting the OAuth token. All domains were registered on the same day – two weeks before the attack – through four different registrars, indicating deliberate preparation to resist detection and takedown.

This campaign mirrors the tactics documented by our partners at CyberHUB-AM in March 2026 regarding a spear-phishing campaign targeting Armenian civil society (https://cyberhub.am/en/blog/2026/03/05/alert-spear-phishing-campaign-targeting-armenian-civil-society/), and fits into a broader trend of attacks on human rights and civil society organizations in the region.

Phishing Campaign Targeting

“Civil Network OPORA” (https://oporaua.org/en) is one of Ukraine’s leading civil society organizations, engaged in independent election observation, parliamentary monitoring, and analysis.

Civil society and human rights organizations in Ukraine are systematically under pressure from targeted cyber operations by pro-Russian state-sponsored actors, criminal clusters, and hacktivist groups. Access to such an organization’s email opens up not only correspondence but also the ability to further propagate the attack among trusted contacts, compromise partners, and gather material for further operations.

The Phishing Email

Typosquatting – a type of cyber fraud in which attackers register domain names that closely resemble legitimate site names, banking on users’ typing errors. For example, entering gooogle.com instead of google.com)

The email arrived on July 8, 2026, addressed to an OPORA staff member. The sender field read (auto translated from Ukrainian):

The genuine domain of the “GORDON” editorial site is gordonua.com. The attackers registered the lookalike domain gordorua[.]com, substituting a single letter (n -> r). The difference is difficult to spot visually within a stream of incoming emails. However, the email’s signature listed the genuine address [email protected], which may have created an illusion of legitimacy.

Social Engineering

The email’s text was built on legal pressure. Purportedly on behalf of “Senior Legal Department Specialist Viktoriya Voronina,” it demanded the removal of an OPORA article about the reinstatement of the powers of Domazhyriv village council deputies, accusing the organization of plagiarism. The article in question had indeed been published on the organization’s website back in 2020 – adding credibility to the complaint.

The email urged the recipient to review the complaint details and follow a link structurally mimicking a Google Drive link:

The email passed all email authentication checks:

The attackers did not spoof the domain gordonua.com. They registered their own domain gordorua[.]com and configured a full-fledged mail infrastructure on Microsoft 365 with valid SPF, DKIM, and DMARC records for it. From the mail server’s perspective, the email genuinely originated from the legitimate owner of the domain gordorua[.]com – which is why Google did not flag it as spam.

The Filter Domain

Following the link does not lead directly to the phishing page. The domain drive[.]sharedfilesid175[.]com acts as an intermediate filter, and its behavior likely depends on the visitor’s country:

  • From Ukrainian IP addresses, the server immediately returns an HTTP 302 – redirect to drive[.]sharedfilesid164[.]com.
  • From non-Ukrainian IP addresses (verified from several European addresses), the server returns an HTTP 200 with an hCaptcha page. Only after solving the captcha (POST /__verify) does the visitor proceed further.

This is not a hard geo-block, but rather a mechanism to screen out automated scanners and sandboxes (which are unable to pass hCaptcha) and to reduce the campaign’s visibility to researchers outside the target region.

The Fake Google Drive

After passing through the gateway, hxxps://drive[.]sharedfilesid164[.]com opens a page mimicking the Google Drive interface, titled “My Drive – Google Drive,” containing a single “shared” folder holding a supposed PDF document.

Analysis of the page’s JavaScript shows that it is a full-fledged React application (React + Redux Toolkit + i18next, built with Vite), and the entire contents of the “folder” are hard-coded into the code (auto-translated from Ukrainian):

After a few seconds, or upon attempting to download the file, a modal window appears with a single available action – “Continue with Google.” This is the trap.

The OAuth Consent Trap

Clicking “Continue with Google” triggers a chain of redirects that ends on the genuine Google page.

On the accounts.google.com page, the victim sees an authentic Google interface requesting permission for the application. This is where the critical moment occurs – granting the attackers access to the account.

OAuth request parameters:

Why This Is More Dangerous Than Password Theft?

  • The gmail.modify scope grants full control over mail: reading, sending on the victim’s behalf, deleting messages (including security warnings from Google), reading two-factor authentication codes, and further spreading the attack through contacts.
  • access_type=offline forces Google to issue a refresh_token with no expiration date. Changing the Google account password does not invalidate this token.
  • Two-factor authentication does not protect against this attack – the victim has already passed all of Google’s checks themselves.

The only way to terminate access is to manually revoke the malicious app’s permission at https://myaccount.google.com/permissions.

This scheme, authorizing a fraudulent OAuth application instead of stealing credentials, directly echoes the campaign against Armenian civil society documented by CyberHUB-AM.

Failed Attempt, or a Swift Google Response

The final stage of the attack did not work during our investigation, which is quite curious. Despite all the infrastructure preparation, the last step turned out to be non-functional. As shown in the screenshot, Google flagged the application as unverified. The next screenshot shows details regarding the app’s developer:

Infrastructure Analysis

DSLU analyzed passive DNS and WHOIS data, which reveal a sophisticated and deliberately distributed infrastructure.

Domain Registration

All four domains were registered on the same day – June 24, 2026, two weeks before the attack, using four different registrars and different DNS providers:

Domain Registration Date Registrar Role
gordorua[.]com 2026-06-24 VSYS Sender domain (lookalike of gordonua.com)
sharedfilesid175[.]com 2026-06-24 Tucows Filter domain (hCaptcha)
sharedfilesid164[.]com 2026-06-24 NameSilo Phishing page
sharedfilesid[.]com 2026-06-24 NiceNIC OAuth URL generator
gordonua[.]onrender[.]com ? Amazon OAuth exfiltration

The simultaneous registration confirms a single, unified plan, and the distribution across registrars and DNS providers provides protection against detection and takedown.

Hosting and CDN

Mail and DNS infrastructure of gordorua[.]com:

DNS is delegated to VSYS. VSYS nameservers resolve to ranges within several ASNs, including Virtual Systems LLC (ASN 6698, Ukraine). The phishing sender’s mail runs on Microsoft 365.

The phishing domains drive[.]sharedfilesid175[.]com, drive[.]sharedfilesid164[.]com and sharedfilesid[.]com are fronted by BunnyCDN. BunnyCDN acts as a proxy layer, concealing the real origin. The likely full chain is: BunnyCDN -> Cloudflare -> Render.com. The token-collection server gordonua[.]onrender[.]com is hosted directly on Render.com as a phishing page (a free PaaS).

Google Workspace on the Phishing Domain

The domain drive[.]sharedfilesid164[.]com has its own configured Google Workspace:

  • MX records point to Google (aspmx.l.google.com and alt servers)
  • XT record: “google-site-verification=g4uJHVKRsz3YNsU1tqAZOjg9QgO3twmIFeQd3aJrikQ”

This means the attackers control a Google Workspace account tied to the phishing domain. However, when we attempted the OAuth flow, Google displayed an “Access blocked” screen – gordonua[.]onrender[.]com had not completed Google’s verification process and was restricted to developer-approved testers only. The “Developer Information” pop-up on that screen listed:

 

According to Google’s own OAuth consent screen configuration process, the Support email field cannot be freely typed – it must be selected from a dropdown restricted to addresses that already hold an Owner or Editor role on the underlying Google Cloud project. In other words, this is not a self-declared contact address. It indicates that [email protected] very likely has direct administrative control over the Google Cloud project behind this OAuth client – separately from, and not necessarily connected to, the Google Workspace tenant on drive[.]sharedfilesid164[.]com.

Conclusions

Our analysis points to an organized, resourceful, and well-prepared actor:

  • Careful infrastructure preparation over two weeks, with diversified registrars and CDN fronting.
  • Legitimate mail authentication (M365 + SPF/DKIM/DMARC) to ensure Inbox delivery.
  • Well-thought-out social engineering incorporating real details (a genuine 2020 article, a real media outlet used as cover).
  • A technically more sophisticated OAuth-consent vector that bypasses two-factor authentication and password changes.
  • Country-based filtering oriented toward Ukrainian users.

The similarities with the campaign documented by CyberHUB-AM in Armenia may point to a broader regional pattern of attacks against civil society organizations, although we do not yet have enough evidence to confirm a direct connection between the campaigns.

Based on the available data, we are not yet able to attribute this campaign to a specific threat group. Attribution requires further investigation.

Recommendations

For personal Google accounts:

  • Review your Google account settings (personal and corporate). Open myaccount.google.com/permissions and remove unknown applications.
  • Check filter and mail-forwarding rules in your Gmail settings.
  • Set up Google Advanced Protection using security keys.

For organizations with Google Workspace:

  • Review Connected Apps in the Google Workspace Admin Console.
  • Enable App Access Control (Security -> API Controls): restrict OAuth access for third-party applications, allowing only trusted ones.
  • Disable mail forwarding organization-wide or for specific Organizational Units.
  • Set up Google Advanced Protection for high-risk members of the organization.

About Digital Security Lab Ukraine

Founded in 2017, Digital Security Lab Ukraine (DSLU) is a non-governmental organization dedicated to protecting digital rights and strengthening the resilience of civil society, media, and human rights defenders in Ukraine. We provide hands-on support through consultations, audits, training, and incident response, while also engaging in forensics, research, advocacy, and policy work to drive long-term systemic change in digital rights, data protection, media freedom, and AI governance.

Indicators of Compromise (IOCs)

gordorua[.]com Sender domain
drive[.]sharedfilesid175[.]com Filter domain (hCaptcha for non-UA)
drive[.]sharedfilesid164[.]com Phishing page (fake Google Drive)
sharedfilesid175[.]com Base phishing domain
sharedfilesid164[.]com Base phishing domain
sharedfilesid[.]com OAuth URL generator
gordonua[.]onrender[.]com OAuth token collection (redirect_uri)
hxxps[://]gordonua[.]onrender[.]com/callback OAuth redirect_uri – token interception point
hxxps[://]drive[.]sharedfilesid175[.]com/__verify hCaptcha verify endpoint
hxxps[://]drive[.]sharedfilesid164[.]com/__/auth/login Fake auth page (mimics Firebase Auth)
955469140772-na5hm93o628mkrtpr4tr70beniaas3gd.apps.googleusercontent.com Attacker’s OAuth client_id
e094650a-ad6a-4258-a780-8441c1b79765 Microsoft 365 Tenant ID (gordorua[.]com)
MS=ms85551769 Microsoft domain verification (gordorua[.]com)
google-site-verification=g4uJHVKRsz3YNsU1tqAZOjg9QgO3twmIFeQd3aJrikQ Google Workspace verification (drive[.]sharedfilesid164[.]com)
623c3cbe-7ac4-46e6-a446-d49ae21234d2 hCaptcha sitekey
[email protected] Email sender