A sophisticated phishing campaign has emerged targeting business professionals with Calendly-themed emails, combining social engineering with advanced credential theft techniques.
The attack specifically focuses on Google Workspace and Facebook Business accounts, using carefully crafted job opportunity lures to trick users into sharing their login information.
The campaign began when a customer received a highly convincing email impersonating a recruiter from LVMH, the luxury goods conglomerate.
.webp "Hackers Using Calendly-Themed Phishing Attack to Steal Google Workspace Account 2")
The email praised the recipient’s professional achievements and offered a promising job opportunity within LVMH’s digital performance team.
The message appeared genuine because it included personal details about the victim’s work experience and was signed by someone claiming to be an HR manager at the company.
The attacker likely used artificial intelligence to gather and personalize this information from publicly available sources like LinkedIn.
Push Security security analysts identified the malware after discovering that the attack was part of a much larger campaign spanning multiple variants and brands.
The researchers noted the sophisticated social engineering tactics and detection evasion techniques embedded throughout the attack infrastructure.
How the Credential Theft Works
The attack uses a multi-stage delivery method designed to bypass email security filters.
The initial email asks if the recipient is interested in the opportunity, and only after responding does the attacker send a follow-up message containing a malicious link disguised as a Calendly scheduling link.
This staged approach helps the phishing email evade content scanning tools that typically flag messages with suspicious links.
When victims click the link, they land on a convincing fake Calendly page that looks nearly identical to the legitimate service.
After completing a CAPTCHA verification, clicking “Continue with Google” redirects users to an Attacker-in-the-Middle (AiTM) phishing page.
.webp "Hackers Using Calendly-Themed Phishing Attack to Steal Google Workspace Account 4")
This page mimics Google’s login interface but is specifically branded with Calendly elements to appear legitimate.
The phishing infrastructure includes intelligent validation mechanisms that block unauthorized email domains from accessing the page.
.webp "Hackers Using Calendly-Themed Phishing Attack to Steal Google Workspace Account 5")
Only emails matching the intended victim’s organization domain can proceed to the password entry field.
Researchers also discovered advanced anti-analysis features, including IP blocking that prevents investigation from VPN or proxy connections and access restrictions triggered when developer tools are opened.
.webp "Hackers Using Calendly-Themed Phishing Attack to Steal Google Workspace Account 6")
These protections suggest the attackers are actively working to stay ahead of security researchers and automated analysis tools.
The campaign has evolved significantly since its inception over two years ago, with attackers continuously refining their tactics and introducing new detection evasion methods to maintain operational effectiveness.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
