The security analysts at INKY have recently discovered a new phishing campaign that targets Calendly, an automated meeting scheduling tool. The company explained that the campaign aims to steal users’ credentials by embedding malicious links into Calendly event invitations.
Calendly is a popular app that allows users to schedule meetings, appointments, and events for individuals and organizations. It allows users to see all the available openings in the organizer’s schedule and choose an ideal time slot for both parties. Calendly supports Google, Office 365, and Outlook calendars, and it has integrations with popular apps like Zoom, GoToMeeting, and Microsoft Teams.
According to the report, the threat actors designed a fake email notification from Calendly, informing users that they have received a new fax document. The hackers abused the “Add Custom Link” feature to embed the malicious link within the text on the event page to make it look less suspicious.
Once the link has been opened, users will be redirected to the phishing web page (that mimics a legitimate Microsoft login form) to steal login credentials. The Calendly phishing campaign, which started in February 2022, targets Google Workspace and Microsoft 365 customers.
“If the victim had not been tipped off by the strangeness of the situation, they might have clicked on the PREVIEW DOCUMENT link and been taken to a credential-harvesting page that impersonated Microsoft. Hovering over the link (indicated by the red arrow above) would have shown that it led to https://dasigndesigns[.]com/ss/updation/index.html, a hijacked site that is listed in Google, Firefox, and Netcraft threat feeds,” INKY explained.
In a statement shared with Bleeping Computer, a Calendly spokesperson emphasized that security is their “top priority.” The app is committed to protecting users against phishing attacks with built-in security tools such as a next-gen web application firewall, anomalous traffic pattern alerts as well as fraudulent IP tracking capabilities.
“In this instance, a malicious link was inserted into a customized booking page. Phishing attacks violate our Terms of Service and accounts are immediately terminated when found or reported. We have a dedicated team that constantly enhances our security techniques, and we will continue to refine and stay vigilant to protect our users and combat such attacks,” the Calendly spokesperson said.
Calendly has also detailed a couple of steps that should help users improve their security. The company recommends users to enable two-factor authentication mechanisms (2FA) to block unauthorized access to their email accounts. Calendly also advises that customers should use a password manager for additional protection.