The IT Nerd

INKY has published research that analyzes a novel email phishing attack delivered via hijacked accounts luring victims to the modern scheduling platform Calendly where the threat actors crafted a clever sequence leading to a credential-harvesting payload that impersonates Microsoft 365. INKY’s cybersecurity researchers detected this credential harvesting operation exploiting the free online appointment scheduling software by hackers inserting malicious links on Calendly’s event invitations. 

Calendly displays confirmation pages for invitees after scheduling, which are customizable. In this attack, phishers uncovered this and created a fraudulent SharePoint notification with fax attributes including several pages/file sizes using the “Add Custom Link” feature to insert a malicious link on the event confirmation page. 

As part of the company’s investigation, an INKY engineer entered a fake username and password to test the phishing site and got a fake invalid-password error. Behind the scenes, the attackers harvested the fake credentials. Another attempt to log in led to a second harvesting event, whereupon the victim was redirected to their own (supposed) domain.

I had a look at this report yesterday ahead of its publication and I have to admit that this is crafty. Many people are so used to doing whatever a site telling them to do that I can see how this would be effective. It underlines that everyone needs to be vigilant 100% of the time.

You can read the full report here.

UPDATE: A Calendly spokesperson reached out to me with this statement:

“Security is a top priority at Calendly. Similar to other major technology providers, we have an extensive network of tools and systems in place, such as a next-generation web application firewall, fraudulent IP tracking, and anomalous traffic pattern alerts. We also recommend customers add an additional layer of protection with a password manager and two-factor authentication. 

In this instance, a malicious link was inserted into a customized booking page. Phishing attacks violate our Terms of Service and accounts are immediately terminated when found or reported. We have a dedicated team that constantly enhances our security techniques, and we will continue to refine and stay vigilant to protect our users and combat such attacks.”

This entry was posted on March 31, 2022 at 8:33 am and is filed under Commentary with tags Phishing. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.