Security Intelligence
Loading table of contents...
At a glance: A China-nexus threat actor used domain-level content compliance rules to silently exfiltrate sensitive email communications, turning a built-in cloud control into an automated data collection channel. After gaining administrative access, the actor configured rules that scanned email traffic for targeted keywords and automatically forwarded matching messages externally. This activity, observed from September 2023-November 2025, enabled continuous exfiltration through standard email processes without requiring additional tools.
Threat summary
On June 15, 2026, Google Threat Intelligence Group reported a campaign attributed to the People’s Republic of China (PRC)-nexus threat actor UNC6508 targeting medical, academic, and military research organizations in North America, with activity from September 2023 to November 2025.
UNC6508 gained initial access around September 2023 by compromising externally exposed REDCap (Research Electronic Data Capture) servers. REDCap is a web-based platform used to manage clinical and research data and allows organizations to run legacy versions alongside current deployments.
The threat actor then deployed custom malware known as INFINITERED, which modified legitimate REDCap files to maintain persistence across upgrades and capture credentials submitted through the platform’s login functionality. The malware also enabled remote command execution through web requests, allowing continued access to compromised systems.
Credential harvesting enabled lateral movement from REDCap systems into the internal environment, where the actor obtained privileged access, including a domain administrator account. This level of access enabled control over enterprise services beyond the initially compromised systems.
Using administrative access, the threat actor accessed the organization’s cloud email environment and configured a domain-level content compliance rule for data exfiltration. The rule scanned email traffic for targeted keywords and patterns related to research, defense, and medical topics, then automatically forwarded matching messages to an external account under the threat actor’s control. This forwarding was implemented using blind carbon copy (BCC) functionality, which sends a copy of an email to a specified recipient without visibility to the sender or other recipients.
The rule operated within standard policy enforcement mechanisms and applied across users, enabling continuous collection of selected communications over time.
Analysis
Gaining administrator access allowed the threat actor to control how email was handled across the organization. Domain-level content compliance rules apply broadly and execute automatically, making them an effective mechanism for collecting data at scale once access is established.
Instead of deploying separate exfiltration tools, the actor used a native Google Workspace feature to copy selected emails externally. Messages continued to be delivered normally to users, while matching content was silently transmitted out of the environment through standard email routing.
This activity depended on access to a privileged account. The reporting shows that credentials were collected from compromised REDCap systems and then used to move laterally and reach admin control, which enabled the creation of the rule.
Protecting privileged access reduces exposure to this type of activity. Applying phishing-resistant multi-factor authentication to administrator accounts and limiting credential reuse reduces the likelihood of escalation. Restricting administrative privileges also limits the ability to modify global email policies.
Monitoring configuration changes is critical because this technique relies on legitimate controls rather than malware. Reviewing audit logs for creation or modification of content compliance rules can identify unauthorized changes. Monitoring for new or modified email forwarding behavior, particularly rules that send messages outside the organization, provides an early signal of potential abuse.
Reviewing existing email handling policies helps identify unexpected configurations. Validating that content compliance and data loss prevention rules align with intended use, and regularly auditing those rules, helps surface unauthorized data flows.
The report also highlights the role of REDCap systems in the initial compromise. Reducing exposure of these systems to the internet, removing legacy versions that may remain accessible, and monitoring for unauthorized changes reduces the risk of credential harvesting and persistent access.
Stay on top of emerging threats like this.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
