China Stole Medical Research Emails — Without Ever Breaking In
A China-linked group spent a year inside research networks by silently rewiring Google Workspace email forwarding. No password stolen, no malware dropped — just quiet redirection. Plus: a Palo Alto VPN bypass, 152 fake Chrome extensions, and backdoored WordPress plugins.
Monday, June 15, 2026 · 5-minute read
🌐 World Intel
A China-linked group called UNC6508 gained access to email accounts at research institutions and silently created email forwarding rules inside Google Workspace — the business version of Gmail used by universities, hospitals, and government agencies. The rules forwarded every incoming email matching certain keywords (medical research, military topics, government contracts) to an attacker-controlled account. No malware was needed. No stolen files. Just a quiet rule change that meant every relevant email someone received was also going to someone in Beijing. The group remained hidden for more than a year in some cases. Detection requires auditing email forwarding rules, which most organizations don't do routinely.
Source: The Hacker NewsResearchers discovered 152 Chrome browser extensions — spread across 38 publisher accounts on the Chrome Web Store — that functioned as a coordinated adware network. Each extension appeared to be a legitimate wallpaper or theme tool and collectively had 105,000 installs. Behind the scenes, they shared infrastructure and coordinated to inject ads into web pages, redirect searches, and track browsing behavior. The extensions were carefully distributed across dozens of accounts to avoid triggering any single-publisher red flags. Google removed them after researchers disclosed the findings.
Source: The Hacker NewsAttackers tampered with JavaScript files in several widely-used WordPress plugins — including PushEngage, OptinMonster, and TrustPulse. The malicious code waited until a site administrator was logged in, then silently created a new hidden administrator account with attacker-controlled credentials. The attack is clever: it only fires when an admin is present, making it less likely to trigger automated security scans that run without a logged-in session. Millions of WordPress sites use these plugins. Check your WordPress admin user list for accounts you don't recognize — any unfamiliar admin account should be treated as a compromise indicator.
Source: The Hacker News⚔️ Active Attacks
A flaw in Palo Alto Networks' GlobalProtect VPN software has been actively exploited since at least May 17. The flaw, CVE-2026-0257 (CVSS 7.8), allows attackers to bypass authentication entirely and establish unauthorized VPN connections — gaining the same network access a legitimate employee would have. Anyone who connects to GlobalProtect VPN is granted significant network access by design, so unauthorized connections are high-value intrusions. The flaw was exploited for weeks before Palo Alto issued an advisory and patch.
What you can do: Apply Palo Alto's patch for CVE-2026-0257 immediately. Review GlobalProtect connection logs for unfamiliar source IPs or user accounts, particularly between May 17 and today. Unusual connection times or geographic locations are indicators of compromise. If you see suspicious access, treat it as a potential breach and investigate fully.
Source: The Hacker News🔓 New Vulnerabilities
Authentication bypass in Palo Alto's GlobalProtect VPN product. Allows attackers to establish unauthorized VPN connections, gaining internal network access without valid credentials. Actively exploited since May 17 — weeks before the advisory.
Patch available from Palo Alto. Apply immediately and audit VPN logs retroactively to May 17 for signs of unauthorized access.
JavaScript files in three popular WordPress plugins were modified to create hidden administrator accounts. The attack activates only when a logged-in admin visits an affected page, making it harder for automated scanners to detect. Any WordPress site with these plugins installed during the compromised window may have unauthorized admin accounts.
Update all three plugins immediately. Check your WordPress Users page for unknown administrator accounts and delete them. Rotate all admin passwords and review recent admin-level changes to the site.
152 extensions distributed across 38 publisher accounts in the Chrome Web Store ran coordinated adware operations. Affected extensions included wallpaper and theme tools with a combined 105,000 installs. Google removed them after disclosure.
Check your installed Chrome extensions and remove any you didn't deliberately install or don't recognize. Extensions with excessive permissions (reading all websites, modifying web requests) deserve particular scrutiny.
🛠 New Tech
The UNC6508 Google Workspace attack is detectable if you look. Google provides a tool to audit email forwarding rules across your Workspace organization: in the Google Admin console, go to Reports → Audit → Email Log Search, and look for forwarding rule creation events. For personal Gmail accounts, go to Settings → See all settings → Forwarding and POP/IMAP and check whether any forwarding rules exist that you didn't set. Google also recently added a feature that notifies Workspace admins when forwarding rules are created for an account — make sure those alerts are turned on. For Chrome extension risk, tools like CRXcavator and Spin.AI audit your browser extensions and flag high-risk ones automatically.
💡 Deep Dive
Here's a way to steal everything from someone's email account without ever breaking into it, triggering a security alert, or touching their password: just quietly tell their email server to also send copies of everything to you.
That's what UNC6508 did. The China-linked group got initial access to accounts at medical and military research institutions — we don't know exactly how, but phishing is the most common entry point for this kind of operation. Once in, they didn't download files, install malware, or do anything that would obviously look like an attack. They just went to the email settings and added a forwarding rule.
A forwarding rule in Google Workspace works exactly as advertised: any email that matches your criteria automatically gets copied and forwarded to another address. Organizations use them legitimately all the time — forwarding emails from a shared inbox, redirecting messages during an employee's leave. The feature is normal, useful, and expected to exist.
UNC6508's rules were targeted. They didn't forward everything — that would fill up a storage bucket and create obvious traffic anomalies. They forwarded emails matching specific keywords relevant to the research they were after: grant names, project codenames, partner organization names, specific researchers. Everything that matched went silently to an attacker-controlled inbox. Everything else arrived normally and nothing seemed wrong.
The researchers and administrators on the receiving end had no idea. Their emails arrived as expected. Their sent messages worked. There was no slowdown, no error, no warning. The only way to know this was happening was to look at the email forwarding rules — which most organizations never audit.
The group stayed inside some networks for over a year. A year of medical research, grant applications, partnership negotiations, and internal strategy discussions — all silently copied to Beijing.
The practical takeaway is actionable: audit your email forwarding rules today. In Google Workspace, it's in the Admin console under Reports. In personal Gmail, check Settings → Forwarding. If you see a rule you didn't set up, delete it and change your password immediately. This is one of those attacks where the detection is genuinely easy once you know to look.