Cybercriminals are running a sophisticated, long-running phishing operation that uses fake Calendly invitations โ disguised to appear to be from major global brands โ to steal Google Workspace and Facebook Business account credentials.
The campaign, uncovered by cybersecurity researchers at Push Security, depends upon polished social engineering and advanced detection-evasion techniques to infiltrate high-value advertising platforms.
How The Scam Works
The attack begins with a multi-stage phishing email that appears to come from a legitimate recruiter at a well-known company. The messages include what seems to be a normal Calendly link for scheduling an interview or call. Many of these emails are often well-crafted, believed to be generated with AI, and tailored with personal details scraped from public sources.
Security says the attackers impersonated more than 75 companies, including Disney, Unilever, Lego, Mastercard, Uber, and LVMH.
โThis approach is intentional. The multi-stage message is likely designed to defeat email content scanning tools looking for messages containing a link requesting an urgent response,โ the researchers wrote in a blog post published on Tuesday.
Once the victim responds, attackers send a Calendly-style scheduling link to โbook a call.โ The link leads to a fake Calendly page hosted on attacker-controlled servers. After completing the CAPTCHA check and selecting “Continue with Googleโ, users are redirected to an adversary-in-the-middle (AiTM) phishing page that mimics Googleโs login screen and steals Google Workspace credentials โ including active session tokens.
Push Security confirmed that attackers are specifically targeting Google Ads Manager (MCC) accounts, which allow access to multiple client advertising accounts from a single dashboard โ making them extremely valuable.
Multiple Variants Target Both Google And Facebook Accounts
Researchers identified at least 31 unique phishing URLs tied to the campaign. They found several variations of the attack, such as a Google-focused variant spoofing recruiters at LVMH, Lego, Mastercard, and Uber; Facebook Business account variants impersonating brands like Disney and Unilever; and a newer hybrid variant targeting both Google and Facebook, using a โbrowser-in-the-browserโ attack that displays a fake login pop-up with a realistic URL bar.
To avoid detection, these phishing pages block VPN/proxy connections, prevent visitors from opening developer tools, and hide malicious elements unless the correct target email domain is used.
Malvertising Attacks Add Another Layer
Push Security also observed a separate malvertising campaign targeting Google Ads Manager accounts, where users searching for โGoogle Adsโ were shown malicious sponsored ads that led them to lookalike Google login pages. These ads were hosted through platforms such as Odoo and Kartra.
Since these ad platforms enable precise targeting by geography, domain filters, and device type, attackers can craft โwatering holeโ campaigns specifically aimed at particular organizations or industries.
What Organizations Should Do Now
Security experts recommend taking immediate steps to reduce risk:
- Verify all Calendly links โ only trust URLs from com or app.calendly.com.
- Enable hardware security keys for Google and Facebook accounts, since AiTM attacks easily bypass SMS and app-based MFA.
- Drag any login pop-up windows โ if they canโt move outside the browser frame, it might be a fake browser-in-the-browser window.
- Audit ad accounts frequently for new admins, new payment methods, or unexpected campaign activity.
- Enforce strict identity and conditional access policies for teams managing ads.
- Ask agencies and third parties with ad access to use hardware MFA and limited login locations.
A Campaign That Continues To Evolve
Push Security notes that the attackers behind this operation continually refine their tactics, adopting new phishing styles and evasion methods. With malvertising and AiTM becoming more common and credentials becoming increasingly valuable on the cybercrime market, experts warn that ad management accounts will remain prime targets.
