Full Report
An ongoing phishing campaign impersonates popular brands, such as Unilever, Disney, MasterCard, LVMH, and Uber, in Calendly-themed lures to steal Google Workspace and Facebook business account credentials. [...]
Analysis Summary
# Tool/Technique: Calendly-Themed Phishing Campaign
## Overview
An ongoing, highly targeted phishing campaign leveraging fake meeting invitations themed around the Calendly scheduling platform to steal Google Workspace and Facebook Business account credentials, primarily targeting ad manager accounts. The lures impersonate major brands (Unilever, Disney, MasterCard, LVMH, Uber, etc.) and are reportedly crafted using AI tools.
## Technical Details
- Type: Technique (Phishing/Credential Harvesting)
- Platform: Web-based (Targeting Google Workspace and Facebook Business accounts)
- Capabilities: Credential theft, Brand impersonation, AiTM credential harvesting, Browser-in-the-Browser (BitB) attacks, Anti-analysis measures.
- First Seen: Context implies ongoing as of December 2, 2025.
## MITRE ATT&CK Mapping
- [TA0001 - Initial Access]
- [T1566 - Phishing]
- [T1566.002 - Spearphishing Link]
- [TA0006 - Credential Access]
- [T1555 - Credentials from Password Stores] (Indirectly, via session harvesting)
- [TA0011 - Command and Control]
- [T1573.002 - Encrypted Channel] (Likely used for redirect/phishing infrastructure)
## Functionality
### Core Capabilities
* **Brand Impersonation:** Impersonates recruiters from over 75 well-known brands (Unilever, Disney, MasterCard, LVMH, Uber, Lego, Artisan) to exploit familiarity and trust.
* **Calendly Lure:** Uses fake Calendly meeting invitation themes as the initial vector, directing victims to landing pages designed to look like genuine appointment scheduling interfaces.
* **Credential Harvesting:** Steals login data for both Google Workspace and Facebook Business accounts.
* **AiTM Phishing:** A subsequent page presents an Adversary-in-the-Middle (AiTM) phishing attempt, allowing session hijacking and bypassing standard 2FA protections.
### Advanced Features
* **Browser-in-the-Browser (BitB) Attacks:** Used in variants targeting both Google and Facebook, these attacks display fake pop-up windows that feature legitimate URLs to trick users into entering credentials.
* **Anti-Analysis Measures:** The phishing pages incorporate mechanisms to block VPN/proxy traffic and prevent victims from opening browser developer tools (inspecting elements).
* **Infrastructure Hosting:** Components of the campaign have been observed hosted on Odoo or routed via Kartra platforms.
## Indicators of Compromise
- File Hashes: N/A (Focus is on web infrastructure/techniques)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators:
- Infrastructure observed utilizing Odoo platforms.
- Infrastructure observed routed through Kartra.
- 31 unique URLs supporting the campaign were initially identified (specific URLs not provided).
- Behavioral Indicators:
* Clicking a link leads to a CAPTCHA step.
* Subsequent page redirects to an AiTM login screen or a BitB window.
* Observation of traffic originating from or attempting to connect via VPN/Proxy services being blocked.
## Associated Threat Actors
* Not explicitly named in the context, but attributed to a threat actor group discovered by Push Security.
## Detection Methods
- Signature-based detection: Detection signatures would need to be developed against the specific phishing landing page structures and URLs used in the campaign funnel.
- Behavioral detection: Monitoring for user behavior involving unexpected CAPTCHA challenges or redirects immediately following a link clicked from an email (especially concerning external scheduling links). Detecting the launch of browser instances or pop-ups that mimic standard browser UIs but exhibit characteristics of BitB attacks.
- YARA rules: N/A (Technique-focused)
## Mitigation Strategies
* **Hardware Security Keys (HSEs):** Owners of valuable accounts (Google Workspace, Facebook Business) should use hardware security keys, as these are robust against AiTM attacks.
* **URL Verification:** Users must meticulously verify the URLs in the browser address bar before entering credentials, especially after encountering unexpected pop-ups or redirects.
* **BitB Verification:** Users should attempt to drag login pop-ups to the edge of the browser window; if the pop-up remains attached or behaves unexpectedly, it may be a BitB attempt.
* **Email Awareness:** Train users to be highly suspicious of meeting invitations, especially those referencing high-profile brands that don't align with typical communication patterns for the target.
* **Ad Security:** Organizations should be wary of malvertising paths where search results lead directly to credential harvesting pages.
## Related Tools/Techniques
* AiTM Phishing Frameworks (e.g., EvilProxy, though not explicitly mentioned here)
* Browser-in-the-Browser (BitB) techniques.
* Previous phishing campaigns leveraging Google Search Ads to target Google Ads Manager accounts.