Researchers Discover A Novel Email Phishing Attack Involving Calendly

INKY has published research that analyzes a novel email phishing attack delivered via hijacked accounts luring victims to the modern scheduling platform Calendly where the threat actors crafted a clever sequence leading to a credential-harvesting payload that impersonates Microsoft 365. INKY’s cybersecurity researchers detected this credential harvesting operation exploiting the free online appointment scheduling software by hackers inserting malicious links on Calendly’s event invitations. 

Calendly displays confirmation pages for invitees after scheduling, which are customizable. In this attack, phishers uncovered this and created a fraudulent SharePoint notification with fax attributes including several pages/file sizes using the “Add Custom Link” feature to insert a malicious link on the event confirmation page

As part of the company’s investigation, an INKY engineer entered a fake username and password to test the phishing site and got a fake invalid-password error. Behind the scenes, the attackers harvested the fake credentials. Another attempt to log in led to a second harvesting event, whereupon the victim was redirected to their own (supposed) domain.

I had a look at this report yesterday ahead of its publication and I have to admit that this is crafty. Many people are so used to doing whatever a site telling them to do that I can see how this would be effective. It underlines that everyone needs to be vigilant 100% of the time.

You can read the full report here.

UPDATE: A Calendly spokesperson reached out to me with this statement:

“Security is a top priority at Calendly. Similar to other major technology providers, we have an extensive network of tools and systems in place, such as a next-generation web application firewall, fraudulent IP tracking, and anomalous traffic pattern alerts. We also recommend customers add an additional layer of protection with a password manager and two-factor authentication. 

In this instance, a malicious link was inserted into a customized booking page. Phishing attacks violate our Terms of Service and accounts are immediately terminated when found or reported. We have a dedicated team that constantly enhances our security techniques, and we will continue to refine and stay vigilant to protect our users and combat such attacks.”

One Response to “Researchers Discover A Novel Email Phishing Attack Involving Calendly”

  1. […] phishing attack – a new variant on an existing phishing campaign using tactics similar to the Calendly hack that INKY’s researchers recently […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: