CERT Polska has spent the past several months tracking an intensified phishing campaign from UNC1151, the Belarus-linked threat group also known as Ghostwriter. Since March 2026, the group has shifted its long-running focus on Polish webmail providers like Onet, Wirtualna Polska, and Interia toward Gmail accounts, running the operation with high intensity on weekdays and registering new phishing domains almost every single day. The campaign steals passwords and two-factor authentication codes in the same pass, and it does it without ever needing to forge a domain that DMARC would catch.
How the Campaign Works
The lure is a fake Gmail administrator notice, written in fluent, error-free Polish, warning the recipient of suspicious account activity or a terms-of-service violation. CERT Polska found that attackers send these messages from newly created Gmail accounts with names built to look official, such as [email protected] or [email protected], and from compromised legitimate accounts with their display name altered to match. Rather than addressing victims directly, many messages go out over BCC, keeping recipient lists hidden from each other and from casual inspection. The link inside routes to a phishing domain, frequently registered under .icu, .digital, or .top, or hosted as a subdomain on a free platform like Netlify, with names such as mailverify.digital, verify-check.digital, or monitoring-google-konta.netlify.app. Because these domains rotate daily, blocklists built on yesterday’s indicators are already stale by the time they update.
Real-Time Relay Beats the Second Factor
What separates this wave from an ordinary credential-harvesting page is what happens after the victim types their password. The phishing page opens a background websocket connection to the attacker’s infrastructure and streams everything entered on the page the moment it is typed. When the victim’s Google account prompts for a one-time code or an authenticator app confirmation, the attacker’s backend relays that request to the fake page in real time, the victim enters the code believing they are completing a routine login, and the code is forwarded to Google before it expires. This is the same adversary-in-the-middle logic that has powered account-takeover campaigns all year, but Ghostwriter is running it against Gmail directly, at volume, with fresh infrastructure appearing daily to stay ahead of takedown efforts. Once inside, UNC1151 systematically harvests contact lists for the next round of targeting, sensitive documents, and access to any linked social media accounts, then moves on to the victim’s professional, family, and social connections.
Who Is Being Targeted
CERT Polska’s targeting data points squarely at people whose inboxes carry political and strategic value: politicians, public officials, security researchers, journalists, law enforcement personnel, and public administration employees, along with their families and close contacts. Separate reporting from Recorded Future’s The Record has documented the same group targeting the personal Gmail accounts of Belarusian pro-democracy politicians and their relatives, consistent with Ghostwriter’s history of state-aligned targeting in the region.
Why DMARC Was Never Positioned to Stop This
It’s worth being precise about what DMARC does and does not cover here, because this campaign sits almost entirely outside its scope. DMARC lets a domain owner declare which mail servers are authorized to send as that domain, and it lets receivers reject or quarantine mail that fails to prove it came from one of them. When UNC1151 sends a lure from a brand-new, genuine Gmail account, that mail is exactly what it claims to be: a real message from a real Gmail address, authenticated correctly by Google’s own infrastructure. There is no forged domain for DMARC to catch, because Google is not being spoofed. When the campaign instead uses a freshly registered .icu or .digital domain, or a Netlify subdomain, DMARC on that domain (if the attacker bothers to set one up at all) will pass cleanly too, since the attacker owns the sending infrastructure outright. DMARC protects a domain from being impersonated by someone else. It has nothing to say about a message sent from an account or domain the attacker actually controls, and it has no visibility at all into what happens on the landing page after the click, which is where this campaign’s real damage, the websocket relay against the second factor, actually occurs.
What Defenders Should Do
Move to phishing-resistant authentication. FIDO2 security keys and passkeys are not vulnerable to real-time relay in the way that SMS codes and TOTP prompts are, because the cryptographic proof is bound to the origin domain. A relay page cannot forward a proof it cannot forge.
Treat “Gmail security” emails from Gmail addresses as inherently suspicious. Google does not send account security notices from personal @gmail.com addresses. That mismatch alone is a reliable tell that user training can catch even when the message is fluent and error-free.
Watch for newly registered lookalike domains in your threat intel feeds, particularly ones combining “google,” “gmail,” “verify,” or “security” with volatile TLDs like .icu, .digital, or .top, and get takedown requests filed quickly since this actor’s infrastructure turns over daily.
Keep DMARC enforcement in place for what it does cover. None of this argues against DMARC. It remains the correct control against someone forging your organization’s own domain, and every domain your organization owns, including ones you do not actively send from, should still be locked down to p=reject. It simply is not the tool for this particular campaign.
The Takeaway
Ghostwriter’s Gmail campaign is a reminder that the most dangerous phishing operations increasingly route around email authentication entirely rather than trying to beat it. A message sent from a genuine account, to a real inbox, followed by a landing page that relays a stolen second factor in real time, authenticates perfectly at every step DMARC checks, because nothing about the sending infrastructure is fraudulent. The fraud happens entirely after the click. Defending against it takes phishing-resistant credentials and fast-moving domain intelligence, alongside DMARC enforcement, not instead of it.
Excello Mail gives you continuous visibility into your DMARC aggregate reports and sending sources, so you always know what is authenticating as your own domain while your team builds the rest of your defenses. Sign up for free to Excello Mail to keep that visibility in place.