Calendar Invitations Used to Launch Phishing Attacks

With every day passing, threat actors are finding more and more innovative ways to deliver phishing emails to end-users. Recently, the Cofense Phishing Defense Center (PDC) spotted crooks using calendar invitations to mount phishing attacks.

What happened

Recently, Cofense researchers detected a phishing attack in the enterprise email environments protected by Proofpoint and Microsoft.
  • The phishing campaign delivered .ics calendar invite attachments containing phishing links in the body with the subject "Fault Detection from Message Center," from a sender with the display name Walker.
  • Attackers used a compromised email account belonging to a school district to bypass email filters relying on the DKIM and SPF technologies that authenticate sending domains.
  • The fake invitation proposed a calendar entry displaying a URL, hosted on Microsoft's SharePoint site. It also displayed another link to a phishing site hosted by Google that appeared to show a fake Wells Fargo login page.
  • The campaign tricked users into submitting their login details, PIN, and account numbers, along with their email credentials, and redirected them to the legitimate Wells Fargo website to quell any suspicion.

Recent threats leveraging calendar applications

Scammers have been taking advantage of innocuous default calendar settings to try to trick users into clicking malicious links.
  • In June, an attacker impersonated a Wells Fargo Security Team member and sent out phishing attacks contained within calendar application invites, targeting environment protected by FireEye.
  • In October last year, in a Google Calendar Scam, fraudsters were seen sending fake calendar invitations to a victim’s email address and tricked them to open a malware-laden attachment or click on a malicious link.

What can you do?

Users should not click on suspicious links or attachments in unsolicited emails. Users should change their calendar settings to prevent meeting invitations from automatically popping up.