A sophisticated phishing scheme has been exploiting Google Calendar invites and Google Drawings pages to pilfer login credentials while evading spam filters, leaving unsuspecting users vulnerable.
According to Examine Level’s monitoring of the phishing attack, the threat actors targeted approximately 300 manufacturers, sending more than 4,000 suspicious emails within a four-week period.
According to Level Advised, BleepingComputer reported that the attacks targeted a diverse range of organizations, encompassing educational institutions, healthcare providers, construction companies, and financial institutions.
Attackers initiate the assault by exploiting Google Calendar’s functionality to send seemingly harmless meeting invites, which can be easily mistaken for legitimate communications from acquaintances.
The embedded invitations, as previously demonstrated, contain a hyperlink leading to Google Forms or Google Drawings. This link, when clicked, redirects the user to another hyperlink, often masquerading as a reCaptcha or help button.
Researchers at Examining Level informed BleepingComputer that these malicious actors exploit Google Calendar’s legitimate service provider feature, allowing them to evade spam filters by originating the phishing invitations from a seemingly trustworthy Google source.
“The attackers leveraged Google Calendar’s infrastructure to craft seemingly legitimate invites, mimicking the appearance of notifications sent by ordinary users.”
Researchers revealed email headers demonstrating successful implementation of DKIM, SPF, and DMARC authentication protocols, allowing the fraudulent invitation to bypass security filters and reach intended victims’ inboxes.
To amplify the volume of phishing emails sent to the target, attackers might cancel the Google Calendar event and adopt a message that will subsequently be dispatched to invitees.
The message may also include a hyperlink that potentially leads to additional drive targets and conceivably could direct users to phishing pages.
Phishing scams targeting Google Calendar are a persistent threat, and despite efforts by Google to simplify blocking such invitations in advance.
If a Google Workspace administrator fails to enable these safeguards, automatic calendar invites will ensue.
We recommend exercising caution when encountering unsolicited assembly invitations and advise ignoring any requests to click on hyperlinks from unverified senders until the authenticity of the message can be confirmed.
