Hackers are employing a sophisticated phishing campaign that leverages the familiar interface of Calendly to steal Google Workspace account credentials. This targeted attack, identified by security analysts, uses convincing social engineering tactics to trick business professionals into divulging sensitive login information, posing a significant threat to organizational security.
The elaborate phishing operation was recently observed targeting professionals, impersonating recruiters from prominent companies like LVMH. The initial email, carefully crafted with personal details likely sourced from platforms like LinkedIn, offers a seemingly attractive job opportunity. This initial approach is designed to be highly persuasive, making recipients more likely to engage with the subsequent stages of the attack.
Calendly-Themed Phishing Attack Targets Google Workspace Accounts
This particular Calendly-themed phishing attack represents a significant evolution in credential theft techniques. By impersonating a recruiter and offering a compelling job prospect, attackers create a sense of legitimacy and urgency. The personalization of the initial outreach, potentially powered by AI, further enhances the believability of the email, making it harder for recipients to discern it as malicious.
Push Security analysts, who discovered the campaign, noted its multi-stage delivery mechanism. This approach is crucial for bypassing standard email security filters. The initial email does not contain suspicious links. Instead, it prompts the recipient to express interest. Only upon response does the attacker follow up with a message containing a link, cleverly disguised as a Calendly scheduling link.
This staged approach is a key strategy to evade content scanning tools that typically flag emails containing immediate malicious links. By delaying the introduction of the harmful element, the attackers increase the likelihood that the email will reach the intended victim’s inbox.
How the Credential Theft Mechanism Operates
Once a user clicks on the phishing link, they are directed to a fake Calendly page. This page is designed to be an almost exact replica of the legitimate service, further lulling the victim into a false sense of security. After successfully navigating a CAPTCHA verification, users are presented with a “Continue with Google” button.
Clicking this button triggers a redirect to an Attacker-in-the-Middle (AiTM) phishing page. This page is specifically crafted to mimic Google’s login interface but is emblazoned with familiar Calendly branding, reinforcing the illusion of a legitimate scheduling process. The primary objective at this stage is to capture the user’s Google Workspace login credentials.
The attackers have implemented advanced validation mechanisms within their phishing infrastructure. These systems are designed to prevent unauthorized access. For instance, the fake login page will only allow access if the email originates from the intended victim’s organizational domain. This ensures that only targeted individuals can proceed to the credential entry field.
Furthermore, researchers have identified sophisticated anti-analysis features built into the attack. These include IP blocking that prevents access from VPN or proxy connections, thereby hindering investigators. Additionally, the pages are programmed to restrict access when developer tools are opened, indicating a proactive effort to thwart security analysis and research.
The campaign has a history of over two years, demonstrating a persistent and evolving threat. Attackers have continuously refined their methodologies, consistently introducing new evasion techniques to maintain their operational effectiveness against evolving security measures. This ongoing adaptation highlights the importance of staying vigilant and informed about emerging phishing tactics targeting business accounts.
The ongoing evolution of this phishing campaign necessitates a continued focus on user education and the implementation of robust security protocols within organizations. As attackers become more sophisticated, staying informed about their latest tactics is crucial for safeguarding sensitive data and maintaining the integrity of digital workspaces.