Phishing scams are constantly evolving, with attackers finding innovative ways to bypass security measures. The latest twist involves the misuse of Google Calendar invites and Google Drawings, with threat actors targeting credentials while circumventing spam filters.
A Growing Threat Targeting Thousands
According to cybersecurity firm Check Point, the ongoing attack has already targeted 300 brands through over 4,000 phishing emails in just four weeks. The attack spans a wide range of industries, including education, healthcare, construction, and banking.
The scale of the campaign is concerning. By leveraging legitimate Google services, attackers effectively bypass traditional email security checks. This tactic has allowed them to infiltrate inboxes with alarming ease.
How the Scam Operates
The attack begins innocently enough. Threat actors send Google Calendar meeting invites that appear genuine, especially when they include familiar names among the participants.
Inside these invites, however, lies the bait: a link to a Google Form or Google Drawings page. These pages further encourage users to click yet another link, often disguised as a reCAPTCHA or a support button.
This layered approach is designed to appear trustworthy while leading unsuspecting users to phishing pages where their credentials can be stolen.
Example of a Phishing Email Header
Check Point researchers analyzed the email headers and found that the phishing emails passed DKIM, SPF, and DMARC security checks, lending credibility to their appearance. These checks typically validate the authenticity of emails, which explains why these phishing attempts evade spam filters.
Here’s a brief look at how these headers might appear legitimate:
- Sender: Matches Google Calendar services.
- Authentication: Passes DKIM, SPF, and DMARC checks.
- Content: Mimics standard meeting invitations.
Doubling Down: Cancelled Events with Malicious Links
The attackers don’t stop at sending initial invites. They also cancel the Google Calendar event shortly after sending it, triggering a cancellation message to the invitees. This message often includes another link, usually pointing to a Google Drawings page, which again leads to phishing websites.
This approach effectively doubles the number of phishing emails received by the target, increasing the likelihood of a click.
Why Google Calendar Phishing Works
The success of these attacks lies in their exploitation of trusted platforms. By utilizing Google’s services, such as Calendar and Drawings, the phishing emails appear to originate from legitimate sources.
Users often trust meeting invites and notifications, making them more likely to engage without suspicion. Google Workspace protections exist to combat such abuse, but they must be enabled by administrators. Without these protections, invites are automatically added to calendars, leaving users vulnerable.
Recommendations to Stay Safe
- Be cautious of meeting invites from unknown sources.
- Avoid clicking links embedded in invites unless you trust and confirm the sender.
- Administrators should enable Google Workspace protections to prevent the automatic addition of invites to calendars.
The Bigger Picture: Phishing Tactics Are Evolving
Google Calendar phishing is not entirely new. The platform has been exploited in the past, prompting Google to roll out measures to block suspicious invites. However, the persistence of such attacks underscores the need for continuous vigilance.
The use of legitimate platforms like Google Calendar and Google Drawings illustrates a broader trend in phishing. Cybercriminals are increasingly blending malicious intent with authentic services to evade detection.
Table: Comparison of Traditional Phishing vs. Google Calendar Phishing
| Feature | Traditional Phishing | Google Calendar Phishing |
|---|---|---|
| Platforms Used | Email links, fake websites | Google Calendar, Google Drawings |
| Security Bypass Methods | Fake email headers | Legitimate DKIM, SPF, DMARC compliance |
| Delivery Mechanism | Bulk spam emails | Calendar invites and cancellation messages |
| User Trust Factor | Low | High, due to use of Google services |
The misuse of Google’s tools is a stark reminder that no platform is immune to abuse. Even trusted services can become conduits for phishing attacks when exploited creatively.
The Importance of Awareness
Phishing tactics rely on human error. While technical safeguards can mitigate some risks, user awareness remains the best defense. Staying informed about the latest threats and scrutinizing every unexpected invite or link can significantly reduce the likelihood of falling victim.
Check Point’s findings highlight a growing need for better education and proactive security measures. Companies must equip their teams with the knowledge to spot phishing attempts, while users must exercise caution with every email or invite, they receive.
