adding app specific password phishing

README.md

@@ -48,7 +48,7 @@ We’ve taken inspiration from the MITRE ATT&CK framework (certainly intended as
 ||[IM user spoofing](techniques/im_user_spoofing/description.md)||[Inbound federation](techniques/inbound_federation/description.md)||[Device code phishing](techniques/device_code_phishing/description.md)|||[SAMLjacking](techniques/samljacking/description.md)||
 ||[nOAuth](techniques/noauth/description.md)||[Device enrollment](techniques/device_enrollment/description.md)||[Session cookie theft](techniques/session_cookie_theft/description.md)|||[Inbound federation](techniques/inbound_federation/description.md)||
 ||[MFA fatigue](techniques/mfa_fatigue/description.md)||[Cross-idp impersonation](techniques/cross-idp_impersonation/description.md)|||||[Session cookie theft](techniques/session_cookie_theft/description.md)||
-||[Device code phishing](techniques/device_code_phishing/description.md)|||||||||
+||[Device code phishing](techniques/device_code_phishing/description.md)||[App-specific password phishing](techniques/app_specific_password_phishing/description.md)|||||||
 ||[Hijack OAuth flows](techniques/hijack_oauth_flows/description.md)|||||||||
 ||[AiTM Phishing](techniques/aitm_phishing/description.md)|||||||||
 ||[Device enrollment](techniques/device_enrollment/description.md)|||||||||
@@ -58,6 +58,7 @@ We’ve taken inspiration from the MITRE ATT&CK framework (certainly intended as
 ||[Cross-idp impersonation](techniques/cross-idp_impersonation/description.md)|||||||||
 ||[Verification phishing](techniques/verification_phishing/description.md)|||||||||
 ||[UI redressing](techniques/ui_redressing/description.md)|||||||||
+||[App-specific password phishing](techniques/app_specific_password_phishing/description.md)|||||||||
 
 
 Another divergence from the ATT&CK framework is that these techniques are not solely based on observation. Instead, we’re allowing more exploratory techniques that haven't been seen in the wild. We think this is important because SaaS is a relatively new attack surface, and we want to encourage security researchers to think creatively about how SaaS can be abused to better anticipate future attacks.

techniques/app_specific_password_phishing/description.md

@@ -0,0 +1,25 @@
+# App-specific password phishing
+ID: SAT1050
+
+## Tactics
+* Initial Access
+* Persistence
+
+## Summary
+
+App-Specific password phishing is a social engineering technique where an adversary tricks a user into generating an "app-specific password" for their account and then sharing it with the attacker. These legacy passwords are a feature in some major SaaS providers (like Google and Apple) designed to allow older applications that do not support modern authentication (like OAuth 2.0) to access account data.
+
+The attack flow typically involves a pretext where the attacker, posing as a trusted entity (e.g., tech support, a service provider), directs the user to their account's security settings. The user is then guided through the process of creating a new app-specific password and is instructed to paste this password into a form or chat window controlled by the attacker.
+
+Because app-specific passwords are created by an already-authenticated user, they often bypass standard multi-factor authentication (MFA) prompts upon creation. Once the attacker possesses this password, they can gain persistent, programmatic access to the user's account data (e.g., emails, contacts, files) via APIs, often without triggering the same level of security alerts as a traditional interactive login from an unrecognized device. This makes the access stealthier and more durable than a session token, as these passwords typically remain valid until manually revoked by the user.
+
+This technique is a variant of phishing that targets a specific, often overlooked, credential type. It is similar to [consent phishing](/techniques/consent_phishing/description.md) in that it abuses a legitimate feature, but it targets a direct password credential rather than an OAuth consent grant.
+
+They can also be abused at the persistent phase to maintain access to a compromised account in a similar way to [ghost logins](/techniques/ghost_logins/description.md) and [api keys](/techniques/api_keys/description.md).
+
+## Examples
+
+* [Google](/techniques/app_specific_password_phishing/examples/google.md)
+
+## References
+* [Technical blog - Russian Government-Linked Social Engineering Targets App-Specific Passwords](https://citizenlab.ca/2025/06/russian-government-linked-social-engineering-targets-app-specific-passwords/)

techniques/app_specific_password_phishing/examples/google.md

@@ -0,0 +1,5 @@
+The following screenshots show how to create an app-specific password within Google
+
+![alt text](image-1.png)
+
+![alt text](image-2.png)