Microsoft users are being tricked into handing over their accounts by threat actors abusing the online calendar app Calendly.
Calendly, which is widely used thanks to its integration with Zoom, is a completely free app that businesses and consumers can use to organize events.
Phishing – which is the method used in this scam – has become an increasingly frequent problem for businesses in the US and beyond, particularly since the pandemic.
Microsoft Accounts Targeted
Calendly-generated emails are not an unusual or suspicious sight to see in any inbox, and these emails are no different in appearance, being sent legitimately from the Calendly platform. However, the ability to add any link to an invitation email, using the “Add Custom Link” function, is being abused by cyber criminals.
The malicious users are sending Calendly-generated emails, claiming that new fax documents are waiting for the recipient, but the link hidden inside a “Preview Documents” button, if clicked, will open up a fake Microsoft login page that harvests a victim's account credentials.
The fake login box even asks victims to type in their password twice, claiming they entered it wrong initially, just to save the scammers time sifting through emails with typos.
Calendar apps like Calendly are often left open in stray tabs and can integrate with other apps or programs, making attacks through their platforms more subtle and convincing than traditional phishing attempts.
Bleeping computer reports that tech company INKY has been observing phishing attempts like this since the end of February.
Phishing: Everything You Need to Know
All phishing attacks are designed to deceive their readers into clicking on something malicious and then either downloading malware or giving up personal account information. To do this, scammers impersonate genuine businesses – in this case, Microsoft – and leverage the legitimacy the victim will associate with their brand.
Although email remains the most popular method for attempting to fraudulently obtain an unsuspecting target’s information, there are now few communications channels that haven't been exploited for phishing.
Smishing, for example, is SMS phishing, and uses the same sort of scamming techniques but via text messages. This became a big problem during the pandemic in a number of countries, with fraudsters taking advantage of the fact the average person was receiving more texts from the government, as well as more deliveries from private companies.
Vishing is now also common practice – again, similar techniques are used for this, but either over the phone or through a voicemail message.
Search Engine Phishing – sometimes known as pharming – requires scammers to poison the DNS caches of victims. DNS – Domain Name System – is what links the website names we type into address bars to actual IP addresses, and is essential to transfer data between any two points on the internet. Scammers have found ways to link legitimate website names to IP addresses belonging to malicious sites, so you’ll be redirected there instead, if you're a victim of this complex phishing method.
How Can I Protect Business from Phishing?
It’s always a good idea to have antivirus software installed – phishing is one method that is commonly used to distribute malware, which could find its way onto your computer.
But the best defense against Phishing is awareness – knowing the risks are there is half the battle. Then, you can learn to look out for suspicious links or instructions, and learn the common tricks to distinguish between shady and non-shady emails, apps and phone calls.
In most cases, there are telltale signs that an email is a phishing attempt – misspelled words, outdated logos, direct (and usually unexpected) demands such as “click here to save your account”, or accusations like “you owe Microsoft $5,000 in subscription fees”, for instance. In the case of the Calendly attack, the biggest red flag is the demand for Microsoft Credentials, simply to view something in Calendly.
Regular training for staff is important, and some companies go as far as to send out mock phishing emails on a regular basis, to see if staff really can spot these small yet telling signs.
Phishing has expanded rapidly as business communications have diversified, so whether you’re using Zoom, Calendar apps, or other applications, keep your wits about you.