An ongoing phishing scam is abusing Google Calendar invites and Google Drawings pages to steal credentials while bypassing spam filters.
According to Check Point, which has been monitoring the phishing attack, the threat actors have targeted 300 brands with over 4,000 emails sent in four weeks.
Check Point told BleepingComputer that the attacks targeted a broad range of companies, including educational institutions, healthcare services, building companies, and banks.
The attack starts with the threat actors using Google Calendar to send meeting invites that look pretty innocuous, especially if you recognize some of the other guests.
Embedded in these invites, as shown below, is a link that leads to Google Forms or Google Drawings that prompt the user to click another link, typically disguised as a reCaptcha or support button.
Source: Check Point
Email Researchers at Check Point told BleepingComputer that by utilizing the Google Calendar services to initiate the phishing invites, they bypass spam filters as they are coming from a legitimate Google service.
"The attackers utilized Google Calendar services, making the headers appear completely legitimate and indistinguishable from invitations sent by any typical Google Calendar user," Check Point told BleepingComputer.
The researchers shared an image of the email headers, showing they passed DKIM, SPF, and DMARC email security checks, allowing the phishing invite to land in the targets' inboxes.
Source: Check Point
To double the number of phishing emails sent to the target, the threat actors can also cancel the Google Calendar event and include a message that will be sent to attendees.
This message can also include a link, such as a Google Drawings link, to further drive targets to phishing pages.
Source: Check Point
Google Calendar phishing is not new, with Google previously rolling out protections allowing users to block these types of invites more easily.
However, if a Google Workspace administrator does not enable these protections, you will continue to have invites automatically added to your calendars.
Check Point recommends that users be wary of all meeting invites received, and if they prompt you to click on a link, ignore them unless you trust or confirm the sender.
Related Articles:
Novel phishing campaign uses corrupted Word documents to evade security
HubSpot phishing targets 20,000 Microsoft Azure accounts
New fake Ledger data breach emails try to steal crypto wallets
Might need a mass password reset one day? Read this first.
Citrix shares mitigations for ongoing Netscaler password spray attacks
Original Article Published at Bleeping Computer
________________________________________________________________________________________________________________________________