What happened
Security researchers from ReversingLabs have uncovered a malicious campaign in which threat actors used Google Calendar invites created by a service called Promptware to distribute credential harvesting links. According to the report, the campaign involved automated creation of calendar events that included URLs pointing to phishing pages designed to collect login credentials from unsuspecting recipients. These invites were sent to large numbers of users, and because they originated from legitimate calendar infrastructure, recipients often saw them in their Google Calendar interfaces without triggering typical email-based phishing filters. Users who clicked the links in the event details were directed to fake login portals where credentials could be captured by the attackers. Researchers noted that the use of authentic Google Calendar invites enabled the distributors to evade some traditional security controls and improved the likelihood of users interacting with the malicious content.
Who is affected
Users who received and interacted with the malicious Google Calendar invites are affected, as clicking the embedded links and entering credentials on the phishing pages can result in unauthorized account access.
Why CISOs should care
The abuse of trusted collaboration and scheduling platforms like Google Calendar to deliver credential harvesting lures shows how threat actors are exploiting diverse communication channels to bypass traditional email-centric defenses and reach users through other trusted workflows.
3 practical actions
- Audit calendar integrations. Review third-party services that can create events on behalf of users to detect unauthorized invite generation.
- Monitor for unsolicited invites. Detect spikes in calendar events with links that originate from outside known internal sources.
- Educate users on invite safety. Inform stakeholders about the risks of clicking links embedded in unsolicited meeting invitations.