calendly-logo

Calendly Calendar App Phishing Scam Targets Microsoft Account Holders

Cyber attackers using the online calendar tool Calendly are phishing Microsoft users into handing over their credentials. Calendly is a popular app with Zoom integration that allows people and companies to plan meetings, appointments, and events. It enables users to browse all available slots in the organiser’s calendar and select a time window that suits both participants.

The malicious users are sending Calendly-generated phishing emails to victims who receive a new document, but the link hidden inside a “Preview Documents” button opens a false Microsoft login page that collects the victim’s login details. To save the cybercriminals time sorting through emails with errors, the fake login window invites victims to type password twice, saying they typed it incorrectly the first time.

Calendar applications, such as Calendly, are frequently left open in random tabs and can merge with other apps or programmes, making attacks via their platforms stealthier and more convincing (A new phishing technique has developed that is quite dangerous) than standard phishing attempts. The Calendly phishing attack, which began in February 2022, is targeted against subscribers of Google Workspace and Microsoft 365.

Phishing attack using Calendly

A newly discovered credential harvesting operation that misused Calendly, a freemium calendaring hub, by injecting malicious URLs on calendly.com. Calendly allows customers to establish free accounts without having to provide credit card information, which black hats love.

Calendly makes scheduling simple and quick to sign up for

The threat actors exploited a Calendly tool that allows users to make customised invite emails as well as a “Add Custom Link” option to include a malicious link on the calendar to produce these emails.

On the Calendly invitation, there is a malicious link embedded (Inky)

Calendly’s invite pages can be customised. Phishers used fax features to construct a false fax document notice in this case (number of pages, file size). They placed a malicious link on the event page using the Add Custom Link tool.

The victim is prompted to re-enter their password due to a fake mistake (Inky)

Researchers took the bait and clicked on the link, entering a fictitious username and password on the phishing site. Any credentials provided in the box will be sent directly to the threat actors, while the victim will be asked to re-enter them due to incorrect password. To reduce the chances of the victim detecting the intrusion, after the second try, the victim is automatically redirected to the domain of the email account they entered.

HTML code for dynamic redirecting (Inky)

The “replace” method replaced the old malicious URL with a new, safe one after two failed login attempts. The phishing site was not stored in the browser’s session history when the black hats (attackers) used the replace() technique. The user will be unable to redirect to the phishing site by using the back button.

What to keep an eye out for?

The application is intended to protect users from phishing attempts by including built-in security technologies such as a next-generation web application security system, unusual traffic pattern notifications, and malicious IP tracing tools.

Having antivirus software installed is usually a smart idea. Phishing is one approach widely used to deliver malware that might compromise your computer security.

To prevent unwanted access to their email accounts, the company suggests that customers install two-factor authentication systems (2FA). Customers should also use a password manager, according to Calendly, for further security.

Staff should be trained on a regular basis and actively send out simulated phishing emails on a regular basis to check whether employees can recognise these potentially damaging attacks.

Has your organisation started to increase cyber security measures yet? Start your two-week free trial today.

Recent posts