Black-hat hackers have been running a tight phishing schedule, using the Calendly app to trick Microsoft and Google users into giving up their personal data, says a report by infosecurity firm Inky.

The threat actors behind the latest scam inserted malicious links into Calendly event invitations, before sending phishing emails from hijacked accounts, inviting unwary Microsoft 365 and Google Workspace users to click on “new documents received.” Doing so led victims straight to the bogus events in a cunning credential harvesting operation.

“In the constant search for novel hacks, cybercriminals have been cycling their way through a multitude of free sites, both to send phishing emails, and to host malware injection mechanisms,” said the report by Inky.

“Black hats tried to lure victims to Calendly, a free calendar app, where they had crafted a clever sequence that led to a credential-harvesting payload.”

In one example, scammers used Calendly’s customization features to conjure up a fake fax notification, complete with convincing details such as the number of pages and file size – as well as the malicious link.

“Hovering over the link would have shown that it led to a hijacked site listed in Google, Firefox, and Netcraft threat feeds,” said Inky.

Screenshot of fake fax notification and malicious link

Turning the tables

At this point, Inky researchers investigating the suspected scam decided to give the cybercriminals a taste of their own medicine – entering fake usernames and passwords, and keeping tabs on the crooks as they unknowingly harvested the bogus credentials.

But the threat actors had one last trick up their sleeves. Upon entering the fake login details a third time – itself thought to be a clever mimicking of the standard “three-strikes” approach to logging in – the research team was “blown off” to a legitimate website, in this case, the landing page for Inky.

“This pattern of two login attempts followed by a blow-off to a benign webpage is fairly standard in the phishing world,” said Inky.

“Either the phishers are hoping the victim will try two different accounts, or they just want to make sure the credentials they have are correct. In any case, setting them down gently on their own domain is a clever touch.”

The scammers used elements of the victims’ domain names or email addresses to accomplish this “dynamic redirection” and lull them into a false sense of security.

“We tested the phishing site several times with different username domains, and, in every case, the site redirected to the username domain,” said Inky.

The hackers behind the scam also took pains to cover their tracks. “As an extra benefit to the black hats, the phishing site was not saved in the browser’s session history,” said Inky. “So, the user would not be able to use the back button to navigate back to the phishing site.”

Inky conducted the investigation after it was tipped off by dozens of Google Workspace and Microsoft 365 users about the suspicious documents in their inboxes.

More from Cybernews:

Data shows the growth in cloud-based security breaches

Should websites do more to encourage better passwords?

Tom Hope, CardLogix: “digital identity stored in a mobile phone carries the highest risk”

Pankit Desai, Sequretek: “today, attackers use much more advanced modes of cyberattacks to compromise enterprises”

Anthony Stevens, 6clicks: “old school methodologies and legacy GRC systems are not just archaic, but dangerous”

Subscribe to our newsletter