Event invitation phishing scheme usurps efficacy of Microsoft, Google and Wells Fargo


A phishing campaign in multiple enterprise email environments purportedly protected by Proofpoint and Microsoft entices users with false event invitations in the form of .ics calendar invite attachments, Cofense Phishing Defense Center (PDC) reported.

The convoluted scheme dupes recipients into thinking their bank accounts have been compromised, even though the ruse’s initial focus is stuffing a malware into URL calendar invite, but in actuality is variation on the classic “suspicious activity on the user’s bank account.”  

Cofense said it observed the use of several compromised accounts used to send this campaign. The loaded email contains the subject line “Fraud Detection from Message Center,” reeling in curious users. By using a compromised real account originating from Office 365, the phish is able to bypass email filters that rely on DKIM/SPF.

When the calendar invite is opened, it’s hosted on the legitimate, the web-based collaborative platform developed by Microsoft integrated with Microsoft Office. After clicking the link in the fake invitation, a relatively simple document opens with yet another link to follow.

Once that link is clicked on, the user is then redirected from to a phishing site hosted by Google, after which users are presented with a convincing Wells Fargo banking page that asks for a variety of Wells Fargo account information, including login details, PIN and various account numbers along with email credentials.

Should the user provide all the requested information, a final redirect goes to the legitimate Wells Fargo login page to make the user believe the account was successfully secured and nothing malicious took place. Not quite, obviously.

Cofense noted it is not the first time threat actors have utilized “storage[.]googleapis[.]com” to host their phish, and that it’s becoming increasingly common, thanks to its ease of use, as well as the built-in SSL certificate the domain, adding the “trusty” padlock to the side of its URL.

“To think, all of this from a simple calendar invite,” the Cofense team wrote. “It goes to show, users and their security teams must constantly remain vigilant as threat actors continue to find new ways to slip past gateways right into inboxes.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.