An ongoing phishing scam is abusing Google Calendar invites and Google Drawings pages to steal credentials while bypassing spam filters.
According to Check Point, which has been monitoring the phishing attack, the threat actors have targeted 300 brands with over 4,000 emails sent in four weeks.
Check Point told BleepingComputer that the attacks targeted a broad range of companies, including educational institutions, healthcare services, building companies, and banks.
The attack starts with the threat actors using Google Calendar to send meeting invites that look pretty innocuous, especially if you recognize some of the other guests.
Embedded in these invites, as shown below, is a link that leads to Google Forms or Google Drawings that prompt the user to click another link, typically disguised as a reCaptcha or support button.
Email Researchers at Check Point told BleepingComputer that by utilizing the Google Calendar services to initiate the phishing invites, they bypass spam filters as they are coming from a legitimate Google service.
“The attackers utilized Google Calendar services, making the headers appear completely legitimate and indistinguishable from invitations sent by any typical Google Calendar user,” Check Point told BleepingComputer.
The researchers shared an image of the email headers, showing they passed DKIM, SPF, and DMARC email security checks, allowing the phishing invite to land in the targets’ inboxes.
To double the number of phishing emails sent to the target, the threat actors can also cancel the Google Calendar event and include a message that will be sent to attendees.
This message can also include a link, such as a Google Drawings link, to further drive targets to phishing pages.
Google Calendar phishing is not new, with Google previously rolling out protections allowing users to block these types of invites more easily.
However, if a Google Workspace administrator does not enable these protections, you will continue to have invites automatically added to your calendars.
Check Point recommends that users be wary of all meeting invites received, and if they prompt you to click on a link, ignore them unless you trust or confirm the sender.