Threat actors have recently launched a phishing campaign exploiting the calendar app Calendly
in an effort to exfiltrate sensitive account credentials, according to TechRepublic.
The campaign, which was identified by INKY researchers in late February, involved attackers adding malicious links in Calendly-sent event invitations.
Researchers found that different hijacked email accounts were leveraged to send out the phishing messages, which include a link to view "new documents received." Recipients who clicked on the link will be redirected to a Calendly event invitation with a "Preview Document" link, which enables the theft of account credentials.
Calendly later noted
that the campaign has been executed through a malicious link added to a customized booking page.
"Phishing attacks violate our Terms of Service, and accounts are immediately terminated when found or reported. We have a dedicated team that constantly enhances our security techniques, and we will continue to refine and stay vigilant to protect our users and combat such attacks," a Calendly spokesperson said.