Companies in multiple sectors are being targeted in an ongoing phishing campaign involving initial contact via email via Google Calendar-generated meeting invites. This campaign has proven effective, especially when the user recognizes other guests. The campaign has been active throughout December, with at least 1,000 of these phishing emails identified each week, according to Check Point.
The aim of the phishing emails is to trick the recipients into clicking a link in the email or opening a Calendar file attachment (.ics), both of which will send the user to either Google Forms or Google Drawings. Next, the user is tricked into clicking another link, which could be a support button or a fake reCAPTCHA. A click will drive the user to the scam page, where they will be taken through a fake authentication process that captures personal information, and ultimately payment card information. This campaign could easily be adapted to obtain credentials rather than payment card details, and campaigns in the past that abused Google Calendar have targeted credentials.
An attacker only needs to obtain an individual’s email address to send the calendar invite, and the emails look exactly like a genuine invite for a meeting. Since the legitimate Google Calendar service is used to generate the phishing invites, the emails are generally not blocked by spam filtering services. Since the sender is legitimate and trusted, the emails pass SPF, DKIM, and DMARC checks, guaranteeing delivery.
Depending on the user’s settings, these may be automatically added to the user’s calendar. The threat actor can then trigger a second email by canceling the meeting and has been doing so in this campaign. The cancellation email also includes a hyperlink to a malicious website.
The use of Google Calendar invites in phishing is nothing new. It is effective as it ensures a large number of requests land in inboxes, and Google Calendar will be familiar to most people, considering there are more than 500 million active users of the tool.
There are simple steps to take to block these threats, although the first option will also limit legitimate functionality for genuine invites. To block these attempts, go into Google Calander settings, and in the event settings switch from automatically add invitations to only show invitations I have responded to. Also, access Gmail settings and uncheck automatically add events from Gmail to my calendar. To avoid disabling the functionality, check the only known individuals setting in Google Calendar, which will generate an alert if the user has had no interactions with an individual in the past.
It is important to have an advanced email security solution that is capable of detecting sophisticated phishing attacks that bypass the standard reputation checks that are present in virtually all spam filtering software – SPF, DKIM, and DMARC. Advanced spam filtering solutions incorporate AI and machine learning capabilities and can detect anomalies in inbound emails and flag them as suspicious or send them for deeper inspection in an email sandbox. In the sandbox, the message can be analyzed for malicious content, including following the link to check the destination URL. While this campaign does not use malware, an email filtering service with email sandboxing will also protect against malware threats.
Meeting invites, calendar invites, and collaboration requests are commonly used in phishing campaigns and are sent from trusted domains that often bypass spam filtering controls, so it is important to cover these types of scam emails in security awareness training. Employees should be made aware that these requests may not be what they seem, even if they have been sent via a legitimate service. Businesses can also gauge how susceptible employees are to these types of scams using a phishing simulator. SafeTitan includes many phishing templates involving invites from legitimate services to allow businesses to incorporate these into their simulations.
Call TitanHQ today for more information on improving your defenses against phishing with the SafeTitan security awareness training platform, SpamTitan email security, and the PhishTitan anti-phishing solution for Microsoft 365.