Ongoing Phishing Attack Abuses Google Calendar to Bypass Spam Filters

Summary:
Google Calendar, a widely used scheduling tool with over 500 million users in 41 languages, has become a significant target for cybercriminals exploiting its features to conduct phishing campaigns. Researchers at Check Point uncovered an ongoing campaign affecting over 300 brands, with more than 4,000 phishing emails sent in just four weeks. By manipulating email sender headers, attackers make phishing emails appear as if they originate from Google Calendar on behalf of legitimate contacts, leveraging user trust in the platform to increase the success rate of these attacks.


The campaign initially used malicious links embedded in calendar invite files (.ics), redirecting users to Google Forms pages designed to harvest sensitive information. However, as security tools began flagging these links, attackers evolved their tactics to include Google Drawings. The phishing emails often mimic legitimate calendar notifications or take a custom format that includes links disguised as reCAPTCHA or support buttons. These links direct users to fake cryptocurrency mining or financial support pages.


Once on these fake landing pages, victims are prompted to engage in a fraudulent authentication process. This process involves entering personal information such as usernames, passwords, and payment details. These phishing pages often include sophisticated designs to mimic trusted websites or services, making them difficult to distinguish from legitimate pages. Cybercriminals use the stolen information for activities like credit card fraud, unauthorized financial transactions, and account takeovers. In some cases, the compromised data is used to bypass security measures on other accounts, leading to further exploitation.


Security Officer Comments:


A key technique observed involves the use of Google’s legitimate collaboration tools, such as Calendar and Drawings, to bypass email security filters. By embedding malicious links into trusted platforms, attackers reduce the likelihood of detection by traditional email security measures. Additionally, the use of reCAPTCHA or "support" prompts further lowers suspicion and increases user interaction with the malicious links.

Suggested Corrections:
For organizations that want to safeguard users from these types of phishing threats and others, Checkpoint researchers recommend the following mitigations:

  • Advanced email security solutions. Solutions like Harmony Email & Collaboration can effectively detect and block sophisticated phishing attempts – even when they manipulate trusted platforms, like Google Calendar and Google Drawings.High-caliber email security solutions include attachment scanning, URL reputation checks, and AI-driven anomaly detection.
  • Monitor the use of third-party Google Apps. Leverage cyber security tools that can specifically detect and warn your organization about suspicious activity on third-party apps.
  • Implement strong authentication mechanisms. One of the most important actions that security administrators can take consists of implementing Multi-Factor Authentication (MFA) across business accounts.
    Further, deploy behavior analytics tools that can detect unusual login attempts or suspicious activities, including navigation to cryptocurrency-related sites.
For individuals who are concerned about these scams reaching their personal inboxes, consider the following practical recommendations.

  • Remain wary of fake event invites. Does the invite have unexpected information on it or request that you complete unusual steps (i.e., CAPTCHA)? If so, avoid engaging.
  • Carefully examine incoming content. Think before you click. Hover over links and then type the URL into Google for the purpose of accessing the website – a safer approach than otherwise.
  • Enable two-factor authentication. For Google accounts and other repositories of sensitive information, enable two-factor authentication (2FA). If your credentials are compromised, 2FA can prevent criminals from accessing a given account.
When asked for comment, Google stated, “We recommend users enable the “known senders” setting in Google Calendar. This setting helps defend against this type of phishing by alerting the user when they receive an invitation from someone not in their contact list and/or they have not interacted with from their email address in the past.”

Link(s):
https://www.bleepingcomputer.com/ne...buses-google-calendar-to-bypass-spam-filters/

https://blog.checkpoint.com/securing-user-and-access/google-calendar-notifications-bypassing-email-security-policies/