Cyber attackers are phishing Microsoft users who use Calendly – an online calendar tool – into handing over their email credentials. The Calendly phishing attack first appeared in February 2022 and is specifically targeting subscribers of Google Workspace and Microsoft 365.
Calendly is a popular app that helps people and companies plan meetings, appointments, and events – both virtually and in-person. The app allows users to browse the available slots in the organiser’s calendar and select a time window that suits both participants.
Phishing attack using Calendly
Calendly is a calendar hub that makes scheduling simple. It’s quick and easy to sign up for, and Calendly allows customers to establish free accounts without having to provide credit card information – which makes it an easy target for black hat hackers.
Calendar applications like Calendly also often merge with other apps or programmes – such as email or video conferencing tools like Zoom – which makes phishing attacks sent via their platforms stealthier and more convincing than standard phishing attempts.
How it works
Threat actors use Calendly’s free tools to send a customised invite email, using the “Add Custom Link” option to include a malicious link in this calendar invite. This is usually labelled as a “Preview Document” button.
Clicking on this link sends the victim to a URL with a blurred document background and a false Microsoft login page.
Users are then asked to enter their Microsoft email credentials – which are then sent directly to the attackers. (Our researchers used a fictitious username and password.)
Next, the victim receives an “Invalid Password” error message and is invited to enter their login details a second time. This helps the hackers eliminate any dud accounts, and potentially even gain a second set of credentials.
After re-entering their details, the user is automatically redirected to the official (and legitimate) domain of the email account they entered. This reduces the chances of victims realising their account has been compromised.
Code to look for
The “replace” method replaces the old malicious URL with a new, safe one after two failed login attempts.
When the attackers used the “replace()” technique, the phishing URL isn’t stored in the browser’s session history. This means the user will be unable to redirect to the phishing site by using the back button.
How to prevent Calendly login compromises
- Install antivirus software. Phishing is just one way hackers will try to deliver malware that might compromise your computer security.
- Install two-factor authentication systems (2FA). We also recommend using an authenticated password manager for further security.
- Regular phishing training. Employers should use simulated phishing emails to check whether employees can recognise these potentially damaging attacks, and provide regular security awareness training to help protect their business.
Improve your cyber security. Book your free Phishing Tackle demo today.
