Still using Gmail App Passwords (ASPs)? You may want to rethink that. APT29 (aka Cozy Bear, Midnight Blizzard) is using them to bypass MFA and get persistent access to Gmail accounts, even in orgs with modern auth. Great writeup on this by The Citizen Lab here: https://lnkd.in/gTB28J5r ASPs are basically backdoors. Once created, they provide full mailbox access without any MFA or granular controls, meaning attackers can access sensitive content, reset passwords, send phishing emails, etc. Honestly, Google should’ve deprecated these years ago. But they're still around, and most customer environments we see still have many ASPs created for legacy clients. They're hard to guess, sure, but easy to social engineer out of users. As authentication controls improve, attackers will keep finding creative ways to go around them. There are no silver bullets and having a plan for resilience after an account is compromised is still a good idea.
