Hackers Use Google Calendar Alerts to Break Into Business Email Security

Google Calendar is a time management and organization tool designed to help individuals and businesses plan their days efficiently. Google Calendar is used by over 500 million people worldwide and is available in 41 different languages.

Due to its popularity and efficiency, Google Calendar has become a target for cybercriminals. Recently, Check Point security researchers observed cybercriminals abusing Google's dedicated tools, such as Google Calendar and Google Drawings. Many emails appear legitimate because they appear to come directly from Google Calendar. Cybercriminals are manipulating "from" headers, making it appear as if the emails were sent via Google Calendar on behalf of a known, legitimate person. So far, approximately 300 brands have been affected by this campaign, with over 4,000 phishing emails detected in a four-week period.

These phishing attacks initially exploited Google Calendar's user-friendly features, including links to Google Forms. However, after cybersecurity systems began flagging malicious Calendar invitations, the attackers evolved the attack to include Google Drawings functionality.

The initial emails include a link or a calendar file (.ics) with a link to Google Forms or Google Drawings. Users are then prompted to click another link, often disguised as a fake reCAPTCHA or support button. Once clicked, the user is redirected to a page that appears to be a cryptocurrency or bitcoin support platform.
These pages are designed to perpetrate financial scams. Once users reach the page, they are prompted to complete a fake authentication process, enter personal information, and finally provide payment details.

How to Block This Attack

For organizations that want to protect their users from phishing threats like this, the following practical measures are recommended:

• Advanced email security solutions
  Tools like LeonardoNetwork Email Defender They can detect and block sophisticated phishing attempts, even when they exploit trusted platforms like Google Calendar and Google Drawings. High-quality security solutions include attachment scanning, URL reputation checking, and AI-based anomaly detection.
• Monitoring third-party apps integrated with Google
  Use cybersecurity tools that can detect and report suspicious activity on third-party applications connected to corporate accounts.
• Implementation of robust authentication mechanisms
  One of the most important actions is the adoption of theTwo-Factor Authentication (MFA) on all company accounts. Additionally, implement behavioral analytics tools to detect unusual login attempts or suspicious activity, including browsing to cryptocurrency-related sites.

For individuals concerned about these scams reaching their personal inbox, we recommend taking the following precautions:

• Beware of invitations to suspicious events
  Do the invitations include unexpected information or require unusual steps (e.g., completing a CAPTCHA)? If so, avoid interacting.
• Please carefully review the incoming content.
  Think before you click. Hover over links to see their destinations, and type them manually into your browser to access the site more securely.
• Enable two-factor authentication
  For Google accounts and other platforms containing sensitive information, enable two-factor authentication (2FA). Even if your credentials are compromised, 2FA can prevent criminals from accessing your account.

In response to the issue, Google stated:

We recommend users enable the 'Known Senders' setting in Google Calendar. This helps protect against this type of phishing by alerting users when they receive an invitation from someone who isn't in their contact list or with whom they've never interacted via email before.

Source: Check Point Team and Forbes