Calendly Emails Impersonate Major Brands in New Credential Theft Scheme

A new phishing campaign is using fake Calendly invites to impersonate trusted brands and steal login credentials from Google Workspace and Facebook Business users.

The attackers use sophisticated social engineering techniques, including AI-generated personalization and brand impersonation, to trick targets into engaging with convincing messages that lead to credential-harvesting pages.

Victims are initially lured with job opportunities from recognizable companies. The attack infrastructure includes multi-stage delivery, CAPTCHA checkpoints, fake Calendly interfaces, and Attacker-in-the-Middle (AiTM) login pages, tools that help bypass detection tools and even two-factor authentication (2FA).

Why It Matters: This campaign demonstrates the advancement of phishing operations to evade traditional security tools. The use of familiar services like Calendly, combined with impersonation of well-known companies, increases the risk that victims will unknowingly grant access to business-critical accounts.

• AI-Based Personalization Boosts Trust in the Attack: Phishing emails at the heart of this campaign are tailored, often referencing the recipient’s work history or recent projects. This level of detail is believed to be generated using artificial intelligence tools that scrape professional information from public sources such as LinkedIn. The attackers impersonate legitimate recruiters from respected companies like LVMH and Uber, increasing the likelihood that targets will believe the offer is real and respond. These details are carefully selected to align with the recipient’s industry or interests, giving the email a level of credibility that can bypass typical skepticism.

• Calendly as a Familiar Cover for Delivery: Attackers have chosen Calendly, a widely used scheduling service, as the primary disguise for the phishing operation. Initial emails avoid including any direct malicious links, instead asking recipients if they’re interested in a supposed job opportunity. Only after the target responds does a follow-up email arrive, containing what appears to be a legitimate Calendly scheduling link. Clicking this link takes the target to a fake Calendly page, complete with a working CAPTCHA challenge. After this, the user is directed to a fake Google login page that copies the design and layout of the real interface, allowing attackers to intercept their login information.

• Targeting Business Accounts with High Value: The campaign goes after users with access to advertising and business management platforms, particularly those with admin-level access to Google Ads Manager (MCC) and Facebook Business accounts. These accounts are desirable because they can be used to run advertising campaigns without the need for upfront funding, enabling attackers to distribute malware or phishing links using legitimate ad infrastructure. Additionally, because these accounts often link to other corporate systems through Single Sign-On (SSO), compromising them can potentially give attackers access to much wider sets of enterprise data and tools.

• Phishing Pages Designed to Prevent Detection and Analysis: Researchers at Push Security have found that the infrastructure used in this phishing campaign includes several techniques to block cybersecurity professionals and security tools from analyzing the attack. The pages are programmed to detect VPN traffic and developer tools, and if either is detected, the page shuts down or blocks access. Furthermore, the phishing pages validate the target’s email domain before allowing access to the actual password field, reducing the likelihood of the page being discovered by scanning tools or researchers.

• AiTM and BitB Tactics Used to Bypass Security Protections: The phishing operation uses Attacker-in-the-Middle (AiTM) methods to intercept session cookies and credentials, even if the user has two-factor authentication (2FA) enabled. In newer versions of the attack, the scammers employ a technique known as Browser-in-the-Browser (BitB), which presents fake pop-up windows within the browser that closely mimic legitimate login interfaces. These windows even contain real-looking URLs to trick users into believing they are entering information into a secure platform. Push Security confirmed that these tactics have successfully targeted multiple advertising accounts, with one variant distributing malicious links through sponsored Google search ads as part of a larger malvertising campaign.

Go Deeper -> Hackers Using Calendly-Themed Phishing Attack to Steal Google Workspace Account – The Hacker News

Fake Calendly invites spoof top brands to hijack ad manager accounts – BleepingComputer