Credential harvesting scam lead image.
Image: weerapatkiatdumrong, Getty Images/iStockphoto

Cybercriminals who specialize in phishing attacks like to point people to actual websites as much as possible. Using such sites lends an air of legitimacy to the scam, increasing the odds of tricking the recipients. In a report released Thursday, email security provider INKY describes a recent phishing campaign that took advantage of the Calendly calendar app to harvest sensitive account credentials from unsuspecting victims.

Discovered by INKY toward the end of February, the people behind this particular phishing attack inserted malicious links in event invitations sent through Calendly. One reason the criminals chose Calendly may be because the site allows users to set up free accounts without entering any credit card or payment information. Another possible reason is that users can customize Calendly’s invitation pages, allowing scammers to insert malicious links in them.

SEE: “Browser in the Browser” attacks: A devastating new phishing technique arises (TechRepublic)

To kick off the campaign, the attackers sent out phishing emails from various hijacked accounts. Some 64 INKY customers checked their inboxes only to find these emails with a message of “new documents received” and a link to allegedly view those documents. Clicking on the link would then take the recipient to an event invitation on Calendly.

Credential harvesting campaign spotted by INKY.

The event invitation included a link called Preview Document. And that’s where the scam became dangerous. Clicking on that link would have brought the user to a webpage that looked like a Microsoft site but actually was set up to steal Microsoft account credentials.

credential harvesting campaign Preview Documents link.

Taking the bait, researchers at INKY clicked on the link and entered a phony username and password at the phishing site. The first attempt triggered an invalid password error, a known tactic in which the user is told that their credentials aren’t valid but those credentials are actually harvested behind the scenes. A second attempt to enter credentials didn’t trigger the same error but simply directed the user back to their own company’s website as indicated in their email address.

Credential harvesting message.

In response to INKY’s findings, Calendly sent a statement to TechRepublic explaining how its app was targeted and what security methods it uses to thwart certain types of attacks.

“Security is a top priority at Calendly,” a Calendly spokesperson said. “Similar to other major technology providers, we have an extensive network of tools and systems in place, such as a next-generation web application firewall, fraudulent IP tracking, and anomalous traffic pattern alerts. We also recommend customers add an additional layer of protection with a password manager and two-factor authentication. In this instance, a malicious link was inserted into a customized booking page. Phishing attacks violate our Terms of Service, and accounts are immediately terminated when found or reported. We have a dedicated team that constantly enhances our security techniques, and we will continue to refine and stay vigilant to protect our users and combat such attacks.”

For this campaign, the attackers employed a variety of devious tactics:

  • Brand impersonation. Impersonating a brand like Microsoft adds familiarity.
  • Credential harvesting. The victims think they’re logging into a legitimate site but are actually exposing their credentials to the attackers.
  • Compromised email accounts. The attackers use and abuse legitimate email accounts as a way to sneak past security gateways.
  • Dynamic redirection. The scammers use the victim’s own email address to redirect them back to their own company website.

Recommendations to thwart an attack

To help you protect yourself and your organization from this type of phishing attack, INKY offers the following tips:

  • Always scrutinize the sender’s email address and display name. In the attack described by INKY, the email claimed to be sent from Microsoft but came from a non-Microsoft domain.
  • Always hover over a link to see its actual destination. Though is a legitimate and safe site, you wouldn’t normally go there to view a Microsoft notification.
  • To defend yourself against credential harvesting, one option is to use a password manager. Such tools automatically compare a website’s URL with the URL stored in their database. If the two don’t match, the password manager won’t enter the credentials. In this case, the URL phishing site impersonating Microsoft would not have jibed with the URL stored in the password manager for Microsoft.

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday