Fake Calendly Invites Target Top Brands to Hijack Business Ad Accounts
Executive Summary
In mid-2024, a sophisticated phishing campaign leveraged fake Calendly invitation emails to impersonate established brands such as Unilever, Disney, MasterCard, LVMH, and Uber. The attackers crafted convincing lures to target business users and administrators, aiming to harvest credentials for Google Workspace and Facebook Business accounts. Victims who clicked malicious links were redirected to lookalike phishing pages designed to steal login data, potentially enabling unauthorized access to digital ad campaigns, sensitive corporate data, and financial assets. The tactics combined brand impersonation, social engineering, and business workflow subversion, which heightened trust and success rates for attackers.
This incident underscores the growing risks of identity-driven attacks that target business SaaS platforms, as cybercriminals increasingly exploit collaboration tools to penetrate defenses. Such phishing methods continue to evolve, challenging traditional detection and user awareness while putting critical business operations at risk.
Why This Matters Now
Organizations are experiencing a surge in phishing attacks that exploit trusted cloud-based scheduling and collaboration tools, enabling attackers to bypass security controls and steal high-value credentials. Immediate vigilance is essential as attackers refine their lures, targeting business platforms crucial for digital operations and advertising spend.
Attack Path Analysis
Attackers launched a phishing campaign using spoofed Calendly invites impersonating trusted brands to trick users and steal Google Workspace and Facebook business credentials (Initial Compromise). Upon credential theft, attackers gained unauthorized access and escalated permissions within SaaS platforms (Privilege Escalation). They then attempted to move laterally, exploring additional accessible resources (Lateral Movement). The adversary established ongoing access and potentially communicated with external infrastructure (Command & Control). Stolen data, such as business information and ad account assets, was likely exfiltrated to attacker-controlled destinations (Exfiltration). Finally, this led to possible business impact including account hijack, fraud, or unauthorized ad spending (Impact).
Kill Chain Progression
Initial Compromise
Description
Phishing emails with spoofed Calendly invites lured victims into submitting SaaS credentials via fake login forms.
MITRE ATT&CK® Techniques
Phishing: Spearphishing Attachment
Phishing: Spearphishing Link
User Execution: Malicious Link
Brute Force: Password Guessing
Brute Force: Password Spraying
Account Discovery: Domain Account
Valid Accounts: Cloud Accounts
Modify Authentication Process: Web Portal
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Secure Authentication for All Access
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management
Control ID: Article 5
CISA ZTMM 2.0 – Multi-Factor Authentication
Control ID: Identity Pillar: 2.2
NIS2 Directive – Technical and Organizational Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Marketing/Advertising/Sales
High-risk sector targeted through fake Calendly invites spoofing major brands to steal ad manager credentials, directly compromising campaign management and client data.
Consumer Goods
Major brands like Unilever being impersonated in phishing attacks targeting Google Workspace accounts, potentially compromising brand reputation and customer communication channels.
Financial Services
MasterCard impersonation in credential theft campaigns poses significant compliance risks under PCI standards, threatening payment processing systems and customer financial data.
Entertainment/Movie Production
Disney brand spoofing in phishing campaigns targeting business accounts creates reputational damage risks and potential compromise of content distribution and marketing systems.
Sources
- Fake Calendly invites spoof top brands to hijack ad manager accountshttps://www.bleepingcomputer.com/news/security/fake-calendly-invites-spoof-top-brands-to-hijack-ad-manager-accounts/Verified
- Fake Calendly invite phishing campaignhttps://cybernews.com/security/calendly-invite-phishing-recruitment-scam-targets-google-facebook-business-account-users/Verified
- Ongoing Calendly phishing scheme impersonates major brandshttps://www.scworld.com/brief/ongoing-calendly-phishing-scheme-impersonates-major-brandsVerified
- Calendly Emails Impersonate Major Brands in New Credential Theft Schemehttps://nationalcioreview.com/articles-insights/extra-bytes/calendly-emails-impersonate-major-brands-in-new-credential-theft-scheme/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, egress policy enforcement, and threat detection would have limited adversarial movement, detected unusual access, and blocked data exfiltration, constraining the attack at multiple points in the kill chain.
Control: Multicloud Visibility & Control
Mitigation: Unusual authentication attempts or suspicious traffic to phishing domains are rapidly detected.
Control: Zero Trust Segmentation
Mitigation: Identity-based segmentation policies would prevent compromised user accounts from accessing privileged or unrelated resources.
Control: East-West Traffic Security
Mitigation: Internal movement between SaaS services or workloads is restricted and anomalous lateral activity is alerted upon.
Control: Threat Detection & Anomaly Response
Mitigation: Outbound communication patterns indicative of C2 or remote access tools are detected and can be blocked.
Control: Egress Security & Policy Enforcement
Mitigation: Exfiltration channels to unauthorized FQDNs or IPs are blocked based on policy.
Real-time enforcement and policy automation mitigate ongoing business impact and support rapid incident response.
Impact at a Glance
Affected Business Functions
- Advertising
- Marketing
- Sales
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of sensitive business data, including advertising strategies, customer information, and financial records, due to unauthorized access to Google Workspace and Facebook Business accounts.
Recommended Actions
Key Takeaways & Next Steps
- • Strengthen identity-based segmentation and least-privilege access for all SaaS and cloud accounts.
- • Enforce granular egress policies to block communication with unauthorized external sites and phishing domains.
- • Deploy east-west network traffic controls to restrict lateral movement inside cloud and SaaS environments.
- • Implement continuous threat detection and anomaly response for rapid identification of compromised accounts and suspicious activity.
- • Centralize multicloud visibility and automate policy enforcement using cloud-native security fabric capabilities.
