A large-scale phishing campaign has been uncovered, targeting Google Workspace and Facebook Business account users through highly convincing Calendly-themed pages. This operation, analyzed by Push Security, demonstrates an advanced blend of social engineering and detection evasion tactics, aiming to hijack accounts with high privileges.
How the Attack Works
The campaign consists of multiple variants, each designed to trick victims into revealing their credentials:
Variant 1: Google Workspace Account Hijacking
Victims receive fake job recruitment emails, such as one impersonating Inside LVMH, the talent arm of French luxury group LVMH.
The email includes a Calendly link to schedule a call, which redirects to a phishing page mimicking Calendly’s login interface.
Victims are prompted to sign in with their Google account, but the site uses an Attacker-in-the-Middle (AiTM) toolkit to intercept credentials and session cookies, enabling full account takeover.
Attackers add CAPTCHA checks and domain-based access restrictions, ensuring only targeted domains can view the malicious content—thwarting automated scanners and analysts.
Variant 2: Facebook Business Account Takeover
Another variant focuses on Facebook Business accounts, reusing 30+ phishing URLs from an older campaign active for over two years. These accounts are valuable because they manage ad budgets and brand assets, making them prime targets for fraud and malvertising.
Variant 3: Browser-in-the-Browser (BitB) Technique
A third variant combines elements of both attacks, using BitB pop-ups to spoof legitimate login windows and mask malicious URLs. This technique makes phishing pages appear authentic, even to cautious users.
Why Business Ad Accounts Are the Target
Researchers note that this campaign is part of a growing trend of credential theft targeting advertising platforms.
Access to Google Ads Manager or Facebook Business accounts allows attackers to:
✅ Run fraudulent ad campaigns
✅ Spread malware via malvertising
✅ Exploit budgets across multiple brands
Google has warned agencies managing multiple client accounts to monitor new user additions and strengthen security controls.
Advanced Evasion Techniques
The phishing pages impersonate major brands like Lego, Mastercard, Uber, and LVMH, and employ:
- CAPTCHA challenges to block automated analysis
- Domain-based restrictions to hide payloads from non-targeted users
- Rapid domain turnover to evade IoC-based detection
Push Security highlights that these tactics make traditional signature-based defenses ineffective, emphasizing the need for behavior-based and identity-focused security measures.
The Bigger Risk
By compromising Google Workspace accounts, attackers gain access to:
✅ Sensitive business data
✅ Email and file storage
✅ Authentication tokens for other services
Even organizations using multiple identity providers remain vulnerable if single sign-on (SSO) configurations are loosely secured—a risk previously highlighted in Push Security’s research on cross-IdP impersonation attacks.
How to Protect Against Calendly-Themed Phishing
- Verify links before entering credentials
- Enable multi-factor authentication (MFA)
- Use phishing-resistant authentication methods
- Monitor ad account activity for unauthorized changes
- Deploy behavior-based detection tools instead of relying solely on IoCs
