An ongoing Google Calendar phishing attack is exploiting meeting invites and Google Drawings to bypass spam filters and steal credentials. Over four weeks, the attack has targeted 300 brands, sending more than 4,000 phishing emails, according to cybersecurity researchers at Check Point.

Check Point researchers told BleepingComputer that this phishing campaign spans various industries, including educational institutions, healthcare services, construction companies, and banks. By leveraging Google Calendar’s trusted framework, threat actors increase their chances of success.

How the Attack Unfolds

The attack begins with threat actors sending fraudulent Google Calendar meeting invites. These invites appear legitimate and include names of recognizable guests to establish trust.

Embedded in these invites are links leading to Google Forms or Google Drawings pages. Once users land on these pages, they are prompted to click on another link, often disguised as a reCaptcha or support button. The final destination is a phishing page designed to harvest login credentials.

Check Point emphasized how the use of Google Calendar services helps attackers bypass spam filters:

“The attackers utilized Google Calendar services, making the headers appear completely legitimate and indistinguishable from invitations sent by any typical Google Calendar user.”

Phishing attacks abusing Google Calendar services are not new. Google has implemented protections, allowing users to block unwanted invites. However, these defenses require activation by Google Workspace administrators. Without this, malicious invites continue to be automatically added to users’ calendars.

Check Point recommends users exercise caution with meeting invites, particularly those that include links. Avoid clicking any links unless the sender’s identity is verified.

This attack highlights the importance of vigilance and robust security measures to counter increasingly sophisticated phishing campaigns.