Phishing links hidden inside calendar invite attachments

(Image credit: wk1003mike / Shutterstock)

Cybercriminals continue to devise new ways to deliver phishing emails to end users and the Cofense Phishing Defense Center (PDC) had discovered a new phishing campaign which uses calendar invite attachments to try and bypass email gateways.

The firm's researchers discovered the new campaign in multiple enterprise email environments protected by Proofpoint and Microsoft. Cofense assumes that the attackers believe that by putting their phishing URL inside a calendar invite, they can avoid automated analysis.

The subject of the phishing emails used in the campaign is “Fraud Detection from Message Center” and the sender display name is Walker. However, the email address used appears to be legitimate and may be from a school district whose accounts were compromised. In fact, Cofense observed the use of several compromised accounts in this campaign as using a compromised Office 365 account allows messages to bypass email filters which rely on DKIM/SPF.

The email uses a version of the classic lure “suspicious activity on the user's bank account” to trick users into opening it. Attached to the email is a calendar invite that contains a link to the fake invitation.

Hiding on legitimate sites

When a user clicks on the calendar invite, they are redirected to a simple document, hosted on Microsoft's Sharepoint site, containing yet another link.

If the victim goes ahead and follows this second link, they are redirected from sharepoint.com to a phishing site hosted by Google. However, this is not the first time a cybercriminal has used one of Google's sites to host their phishing scam and this practice is becoming increasingly common due to its ease of use as well as the built-in SSL certificate the domain comes with.

Users are then presented with a convincing Wells Fargo banking page that asks for a variety of account information including login details, PIN and various account numbers along with email credentials. If a user does provide all of this information, they will finally be redirected to the actual Wells Fargo login page to make them believe that they have successfully secured their account.

This latest phishing campaign is yet another reminder that both businesses and individuals need to remain constantly vigilant when checking their emails as cybercriminals continue to find new ways to slip past gateways and deliver their scams to users.

TOPICS
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Latest in Security
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
URL phishing
HaveIBeenPwned owner suffers phishing attack that stole his Mailchimp mailing list
Ransomware
Cl0p resurgence drives ransomware attacks to new highs in 2025
Google Chrome
Google Chrome security flaw could have let hackers spy on all your online habits
cybersecurity
Chinese government hackers allegedly spent years undetected in foreign phone networks
Data leak
A major Keenetic router data leak could put a million households at risk
Latest in News
inZOI promotional material.
inZOI has become the most wishlisted game on Steam, but I wouldn't get too caught up in the hype
Xbox Series X and Xbox wireless controller set to a green background
Xbox Insiders are currently testing a new Game Hub feature that looks useful, but I've got mixed feelings about it
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
Microsoft Surface Laptop and Surface Pro devices on a table.
Hate Windows 11’s search? Microsoft is fixing it with AI, and that almost makes me want to buy a Copilot+ PC
Oura Ring 4
Activity tracking on Oura Ring is about to get a whole lot better, but I've got bad news about your step count
Google Pixel Buds Pro 2
Cleaned your Pixel Buds Pro 2 recently? If not, you might be getting worse sound