The phishing email passed SPF, DKIM, and DMARC, and instead of the usual Google login, it opened a consent window for a dangerous app with access to Gmail.
Cyberespionage has once again come to the forefront ahead of the parliamentary elections in Armenia. CyberHUB-AM reported a spearphishing campaign against members of Armenian civil society. The attack was detected on March 3, 2026, and the main goal, according to researchers, was accessing the email accounts of individuals involved in protecting a free and fair electoral process ahead of the June 7 vote.
The scenario was based on political substitution. The attackers sent emails impersonating Maria Karapetyan, a well-known representative of the Civil Contract party, and offered recipients a supposed business proposal for cooperation. The sender's address appeared credible due to the domain civilcontact.am, which mimicked a legitimate structure. Researchers particularly noted the quality of the Armenian language in the bait: the text appeared uneven and could have been produced using machine translation or AI, indirectly indicating that the text was written by non-native speakers.
The most disturbing part of the campaign wasn't the fake attachment, but the way it bypassed the usual security measures. The email linked to a page disguised as a Google Drive folder on the domain drive.google.sharefolders[.]org. After clicking, the victim was shown a Google login button, but instead of the usual authorization, a consent window opened for a malicious OAuth app. The app requested access to Gmail with read and write permissions for all emails, effectively opening the door to email correspondence, internal documents, and further attack from the compromised account.
The campaign was carefully prepared. CyberHUB-AM reports that the malicious emails successfully passed SPF, DKIM, and DMARC checks, making Gmail and Outlook less likely to mark them as spam. However, the attack itself appears to have been ineffective: during tests, Google prevented authorization because the malicious OAuth app was not approved by the platform. Researchers also discovered that the app was linked to the account melissajchaves18[@]gmail.com.
The technical infrastructure also suggests sophisticated preparation. The sharefolders[.]org domain was registered on February 26, 2026, and certificates for several similar addresses, including doc.google.sharefolders[.]org and drive.google.formshare[.]cloud, were issued around the same time. According to the report, the malicious nodes were hosted on a Hostinger server with IP address 187.77.12.131, and the first recorded phishing email was sent on the morning of March 3. Researchers believe the combination of tactics is reminiscent of operations by groups with Russian ties, particularly COLDRIVER or UNC4057, which have previously targeted NGOs, civil society activists, and government agencies in the Caucasus and Ukraine.
History clearly demonstrates how modern phishing is changing. Instead of crude forgeries, attackers are increasingly using legitimate mechanisms like OAuth, plausible domains, and emails tied to a legitimate political agenda. CyberHUB-AM recommends carefully checking domains in such cases, not granting third-party apps access to your Google account without clear reason, confirming unexpected requests through a different communication channel, and, whenever possible, enabling Google's enhanced security and multi-factor authentication.
Cyberespionage has once again come to the forefront ahead of the parliamentary elections in Armenia. CyberHUB-AM reported a spearphishing campaign against members of Armenian civil society. The attack was detected on March 3, 2026, and the main goal, according to researchers, was accessing the email accounts of individuals involved in protecting a free and fair electoral process ahead of the June 7 vote.
The scenario was based on political substitution. The attackers sent emails impersonating Maria Karapetyan, a well-known representative of the Civil Contract party, and offered recipients a supposed business proposal for cooperation. The sender's address appeared credible due to the domain civilcontact.am, which mimicked a legitimate structure. Researchers particularly noted the quality of the Armenian language in the bait: the text appeared uneven and could have been produced using machine translation or AI, indirectly indicating that the text was written by non-native speakers.
The most disturbing part of the campaign wasn't the fake attachment, but the way it bypassed the usual security measures. The email linked to a page disguised as a Google Drive folder on the domain drive.google.sharefolders[.]org. After clicking, the victim was shown a Google login button, but instead of the usual authorization, a consent window opened for a malicious OAuth app. The app requested access to Gmail with read and write permissions for all emails, effectively opening the door to email correspondence, internal documents, and further attack from the compromised account.
The campaign was carefully prepared. CyberHUB-AM reports that the malicious emails successfully passed SPF, DKIM, and DMARC checks, making Gmail and Outlook less likely to mark them as spam. However, the attack itself appears to have been ineffective: during tests, Google prevented authorization because the malicious OAuth app was not approved by the platform. Researchers also discovered that the app was linked to the account melissajchaves18[@]gmail.com.
The technical infrastructure also suggests sophisticated preparation. The sharefolders[.]org domain was registered on February 26, 2026, and certificates for several similar addresses, including doc.google.sharefolders[.]org and drive.google.formshare[.]cloud, were issued around the same time. According to the report, the malicious nodes were hosted on a Hostinger server with IP address 187.77.12.131, and the first recorded phishing email was sent on the morning of March 3. Researchers believe the combination of tactics is reminiscent of operations by groups with Russian ties, particularly COLDRIVER or UNC4057, which have previously targeted NGOs, civil society activists, and government agencies in the Caucasus and Ukraine.
History clearly demonstrates how modern phishing is changing. Instead of crude forgeries, attackers are increasingly using legitimate mechanisms like OAuth, plausible domains, and emails tied to a legitimate political agenda. CyberHUB-AM recommends carefully checking domains in such cases, not granting third-party apps access to your Google account without clear reason, confirming unexpected requests through a different communication channel, and, whenever possible, enabling Google's enhanced security and multi-factor authentication.
