A China-linked spy group siphoned off medical and defense research emails from North America for more than a year. To steal the messages themselves, he did not exploit any vulnerability. THE Google Threat Intelligence Group (GTIG) detailed this campaign in a report published on June 15, 2026, which it attributes with a high degree of confidence to an actor tracked under the name UNC6508. Its main weapon: a perfectly legitimate function of Google Workspacediverted from his usage.
An administration rule transformed into a spy
The technique is based on content compliance rules (content compliance rules), a native tool in professional suites like Google Workspace. An administrator can use it to automatically scan an organization’s messages for keywords and then apply predefined processing, such as archiving or redirection. UNC6508 created a rule called “Patroit”, a misspelling of “Patriot”. She scanned emails for nearly 150 keywords related to medical research, advanced technologies and military subjects. Each corresponding message was sent in blind copy (BCC, for blind carbon copy) to a Gmail address controlled by the attackers.
The operation did not trigger any alerts, because the copying of the emails was ensured by a system function working exactly as expected. This is what distinguishes it from a classic intrusion. During the compromise of the European Commission via a tricked version of the Trivy tool, the abnormal network traffic ended up triggering alerts. Nothing like that here.
Tchap is the government’s ultra-secure and sovereign messaging system. It was supposed to provide maximum protection, but a hacker claims to have exfiltrated more than 643,000 messages and the data of 73,000 public officials. The facts remain to be confirmed, but the incident raises a fundamental question…. Read more
To get there, the actor had first entered through REDCap servers (Research Electronic Data Capture), clinical research data collection software often exposed on the Internet.
Google could not confirm the exact entry flaw or name a CVE reference, but observed the group probing older vulnerable versions. A tailor-made Trojan, called Infinitered, collected connection credentials and survived updates. These identifiers then opened access to an administrator account, therefore to Workspace rules. The theft of emails did not exploit any vulnerabilities: administrator access and standard functionality were sufficient.
Check your own messaging rules
Google’s recommendations are aimed at administrators. You should review compliance and redirection rules that copy messages to external addresses. Audit logs should detail when a rule was changed, not just what it contains. A two-factor authentication resistant have hameçonnage (phishing) is recommended for administrator accounts. The REDCap servers must be updated and their old versions deleted.
Faced with technological dependencies considered increasingly risky, the French state is accelerating its digital sovereignty strategy. The next step is a secure operating system for administrations, called Sécurix…. Read more
A filtering or automatic forwarding rule, a commonplace function of any messaging service, can become a canal ddiscreet exfiltration. Auditing the transfer rules of your own account from time to time remains a simple and surprisingly rare reflex.
/2026/06/20/6a36962b419ad732601485.jpg "War in the Middle East: Iran announces \"close\" the Strait of Hormuz again and sends a delegation to Switzerland to continue discussions")
