Threat Research

Invitation to Trouble: The Rise of Calendar Phishing Attacks

Cofense
Invitation to Trouble: The Rise of Calendar Phishing Attacks

Cofense PDC observed threat actors using spoofed Microsoft and Google Calendar invitations with embedded malicious links that redirect victims to fake login pages to harvest credentials. Users should carefully verify sender addresses and URLs before clicking calendar invites and organizations should deploy real-time defenses to detect and respond to these calendar-based phishing campaigns. #Microsoft #GoogleCalendar

Keypoints

  • Threat actors are sending spoofed Microsoft and Google Calendar invites that visually mimic legitimate invites to increase click-through rates.
  • Attackers use email spoofing and randomized/gibberish “from” addresses to evade filters and appear authentic.
  • Embedded buttons or links in the invites redirect users to phishing pages that impersonate Microsoft login screens hosted on non-Microsoft domains.
  • Once credentials are entered on the fake login pages, attackers can use stolen accounts to launch further internal phishing campaigns.
  • Cofense observed multiple infection and payload URLs and related IP addresses linked to these campaigns (detailed IOCs provided).
  • Recommended mitigations include verifying sender details, inspecting URLs before clicking, and employing managed phishing defense services for detection and response.

MITRE Techniques

  • [T1566.002 ] Spearphishing Link – Calendar invitations contained malicious links that redirected recipients to credential-harvesting pages. [‘After clicking the button, the user is redirected to a phishing page, which displays a fake Microsoft login screen…’]
  • [T1204.002 ] User Execution: Malicious Link – The campaign relied on users clicking visually convincing Outlook/Google Calendar-style buttons or links to trigger the phishing redirect. [‘They used a button designed to mimic Outlook’s appearance…’]
  • [T1078 ] Valid Accounts – Harvested credentials were intended for account compromise to enable follow-on phishing and further access within target organizations. [‘Once credentials are entered on the login page, the phishing attempt is successful…’]

Indicators of Compromise

  • [Domains/URLs ] Infection and payload URLs used in calendar invites and redirects – a.insgly[.]net, abramge[.]com[.]br, and 6 other domains
  • [IP Addresses ] Observed hosting and redirect IPs linked to infection and payload URLs – 18.160.10.68, 172.67.196.105, and 10 other IPs
  • [Email Addresses ] Spoofed sender and randomized “from” addresses used to appear legitimate and evade filters – ‘postmaster@’ spoofed origin and randomized/gibberish from addresses

Read more: https://cofense.com/blog/invitation-to-trouble-the-rise-of-calendar-phishing-attacks

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint