News

Hackers Hide Phishing Links Inside .ics Calendar Invitations

Threat actors are finding innovative methods to phish people into clicking/downloading malicious links or entering sensitive information on fake forms. In a recent security discovery, the Cofense Phishing Defense Center (PDC) found that cybercriminals are using calendar invitations to launch phishing attacks.

Researchers at Cofense found a new phishing campaign to target enterprise email environments that deliver .ics calendar invitations, which contain phishing links in the email body with the subject “Fault Detection from Message Center,” from a sender named “Walker”.  The hackers used a compromised email account of a school district to bypass email filters.

The Phishing Page

The fake calendar invitation contains a malicious URL, hosted on Microsoft’s SharePoint site, and also displays another link that redirects the user to a phishing site. When a user clicks on the calendar invitation, it redirects them to a document hosted on the SharePoint site, which contains yet another malicious link. In case the victim clicks on the second link, they are redirected to a phishing website hosted by Google that looks like a legitimate Wells Fargo banking login page. The bogus page asks the users to enter their sensitive information like login details, account numbers, PIN, and email credentials. After entering all the sensitive information, the user will be redirected to the actual Wells Fargo login page to make the user believe that their account is secured.

“Cofense observed the use of several compromised accounts used to send this campaign. Using a compromised real account originating from Office 365 allows the email to bypass email filters that rely on DKIM/SPF. The story in this phish is a version of a classic lure “suspicious activity on the user’s bank account.” This attachment, however, does not jibe with the ruse considering it’s a calendar invite. A more fitting lure would have been something like “I attached a meeting invite; can you please attend,” the researchers said in a statement.

Google Calendar Scam

Threat intelligence and cybersecurity firm Kaspersky stated that scammers made phishing attacks, by abusing Google Calendar services, to trick users into giving away sensitive information like passwords, card details, and other financial data.  Several unsolicited pop-up calendar notifications were sent to Gmail users by cybercriminals as a sophisticated spam email attack. The calendar phishing emails exploit the automatic addition and notification of calendar invitations feature for people using Gmail on their mobiles.

 

CISOMAG

Recent Posts

Cyber Security Expo Europe

September 24-25, 2025 Location: RAI, Amsterdam, Netherlands Website: https://shorturl.at/3tQu4 Cyber Security Expo Europe 2025 lands…

5 days ago

Game Changer Montenegro Festival

July 3-5, 2025 Location: Tivat, Montenegro Website: https://game-changer.tech/ Tivat Becomes a Hub of Innovation and…

2 weeks ago

CyberSec India Expo

June 11-12, 2025 Location: Mumbai, India CyberSec India Expo 2025 is India’s premier cybersecurity event,…

2 weeks ago

it-sa Expo & Congress

October 7-9, 2025 Location: Nuremberg, Germany Website: https://shorturl.at/DhXLj it-sa: Security for the digital future it-sa:…

2 weeks ago

Cyber Security Expo

July 10, 2025 Location: Manchester Central, Manchester, M2 3GX Website: https://bit.ly/43tNakH The Cyber Security EXPO…

3 weeks ago

CISO India Connect 2025 – Hyderabad

June 26, 2025 Location: Hyderabad, India CISO India Connect 2025 is an invite-only summit bringing…

4 weeks ago