You enabled two-factor authentication on your Gmail account. You are using an authenticator app. You believe your account is protected even if your password leaks. In June 2026, a Belarus-linked hacking group called UNC1151 (publicly known as Ghostwriter) is running a campaign that renders that assumption incorrect, and the technical reason is important to understand.
How the attack works
The attack is an adversary-in-the-middle (AiTM) phishing operation. CERT Polska published an advisory in June 2026 documenting the infrastructure and mechanics. The victim receives an email disguised as a Google Account security alert, typically warning about suspicious activity or repeated OTP generation. The email contains a link to a phishing page hosted on domains under .icu, .digital, or .top TLDs, or on Netlify subdomains, styled to look exactly like a Google sign-in page.
When the victim enters their password, it is immediately passed to Google's real authentication endpoint by the phishing infrastructure acting as a relay. Google responds with a request for the second factor. The phishing page renders a real-time TOTP entry form. The victim enters their six-digit authenticator code. The attacker's automation submits it to Google before the 30-second TOTP window expires. The session is captured. The victim is redirected to a legitimate Google page and may not realize the compromise happened at all.
Why standard 2FA does not stop this
Time-based one-time passwords (TOTP) were designed to protect against replay attacks where an attacker captures a code and reuses it later. They were not designed to protect against a real-time relay. In an AiTM attack, the attacker is not replaying a captured code. They are using the code within its valid window by acting as a transparent proxy between the victim and the legitimate service. The code is valid, the session is real, and the attack completes before TOTP's time window closes.
SMS-based 2FA is equally vulnerable to the same technique. Push notification MFA (like Google Prompt) is slightly harder to relay but not immune, as demonstrated by campaigns targeting Microsoft 365 users.
What actually stops it
Hardware security keys using FIDO2 and WebAuthn block AiTM attacks by design. When a user authenticates with a hardware key, the cryptographic challenge binds to the origin (the domain the browser is actually connected to). The phishing domain is not google.com, so the hardware key refuses to authenticate. The attacker's relay infrastructure cannot forward a credential that was never generated. This is the fundamental difference: TOTP codes are origin-agnostic, hardware key responses are origin-bound.
Google's passkey implementation also provides this protection, as passkeys are built on WebAuthn and are origin-bound. Google Workspace administrators can enforce passkey or hardware key enrollment for users and disable fallback to SMS and TOTP.
Who is targeted and why it matters
CERT Polska's advisory focuses on Polish public figures and their families: politicians, journalists, academics, and NGO staff. Ghostwriter is a Belarus-linked information operations group with a history of targeting Ukrainian, Polish, and Baltic state individuals for intelligence collection and influence operations. The personal Gmail accounts targeted are often less protected than corporate email, because people apply organizational security controls to work accounts and assume personal accounts are less interesting to attackers.
The broader lesson is not geography-specific. AiTM phishing infrastructure is available as a service. The same technique that Ghostwriter is deploying against Polish officials is available to criminal groups targeting enterprise employees with Google Workspace or Microsoft 365 accounts. Any organization that has not moved to hardware key or passkey authentication for privileged accounts and sensitive email users is relying on 2FA that a motivated attacker can bypass in real time.
Practical steps
For high-risk individuals: enroll a hardware security key (YubiKey, Google Titan Key, or similar FIDO2 device) as your primary 2FA for Gmail and any account that matters. Enable passkeys if hardware key enrollment is not feasible. Remove SMS fallback. For Google Workspace administrators: enforce Advanced Protection for executive, legal, finance, and IT admin accounts. Audit which users still have SMS or TOTP as their primary second factor. For security awareness programs: update phishing training to include AiTM mechanics. The classic look for the lock icon and check the URL advice still applies, but recipients need to understand that a phishing page can look identical to the real site and still be a relay.
Gigia Tsiklauri is a Security Architect and founder of Infosec.ge. Get in touch if you want to discuss phishing-resistant authentication rollout for your organization or team.