Thursday, December 19, 2024

Ongoing phishing attack abuses Google Calendar to bypass spam filters

Must read

An ongoing phishing scam is abusing Google Calendar invites and Google Drawings pages to steal credentials while bypassing spam filters.

According to Check Point, which has been monitoring the phishing attack, the threat actors have targeted 300 brands with overĀ 4,000 emails sent in four weeks.

Check Point told BleepingComputer that the attacks targeted a broad range of companies, includingĀ educational institutions, healthcare services, building companies, and banks.

The attack starts with the threat actors using Google Calendar to send meeting invites that look pretty innocuous, especially if you recognize some of the other guests.

Embedded in these invites, as shown below, is a link that leads to Google Forms or Google Drawings that prompt the user to click another link, typically disguised as a reCaptcha or support button.

Example Google Calender invite phishing email
Example Google Calender invite phishing email
Source: Check Point

Email Researchers at Check Point told BleepingComputer that by utilizing the Google Calendar services to initiate the phishing invites, they bypass spam filters as they are coming from a legitimate Google service.

“The attackers utilized Google Calendar services, making the headers appear completely legitimate and indistinguishable from invitations sent by any typical Google Calendar user,” Check Point told BleepingComputer.

The researchers shared an image of the email headers, showing they passed DKIM, SPF, and DMARC email security checks, allowing the phishing invite to land in the targets’ inboxes.

Mail headers sent in Google Calendar spam
Mail headers sent in Google Calendar spam
Source: Check Point

To double the number of phishing emails sent to the target, the threat actors can also cancel the Google Calendar event and include a message that will be sent to attendees.

This message can also include a link, such as a Google Drawings link, to further drive targets to phishing pages.

Using Google Drawings as part of Google Calendar phishing
Using Google Drawings as part of Google Calendar phishing
Source: Check Point

Google Calendar phishing is not new, with Google previously rolling out protections allowing users to block these types of invites more easily.

However, if a Google Workspace administrator does not enable these protections, you will continue to have invites automatically added to your calendars.

Check Point recommends that users be wary of all meeting invites received, and if they prompt you to click on a link, ignore them unless you trust or confirm the sender.

Latest article