A new phishing campaign has been uncovered using fake Calendly pages to steal credentials from Google Workspace and Facebook Business users. Push Security analyzed the operation and found that the attackers are combining realistic social engineering with multiple detection-evasion techniques to compromise business ad accounts.
How the Attack Begins
The campaign starts with well-written emails that look like genuine recruitment messages. In one example, a victim received what appeared to be a legitimate job offer from “Inside LVMH,” along with a Calendly link to schedule an interview.
The link redirected to a fake Calendly login page designed to capture Google credentials. Account Takeover Using AiTM
The phishing site used an Attacker-in-the-Middle setup to intercept both login details and session cookies. With these tokens, the attackers could hijack accounts without triggering additional security checks.
The campaign also included several evasion layers such as CAPTCHA prompts and domain-based filtering to ensure only targeted victims could view the malicious page. This made it harder for analysts and automated tools to investigate.
Researchers found additional phishing pages imitating brands like Lego, Mastercard, Uber and LVMH.
Another version of the attack focused on Facebook Business accounts, reusing URLs from an older campaign that has been active for more than two years.
A third version used Browser-in-the-Browser pop-ups to mimic real login windows and hide the malicious destination.
Why Attackers Want Ad Accounts
Business advertising accounts have become a prime target because they hold broad permissions, budget access, and control over multiple brand assets. Once compromised, attackers can run fake ads, push malware, or make unauthorized purchases.
Google recently warned agencies managing multiple clients to closely monitor new user additions to Manager Accounts. Attackers have also been using Google Search ads (malvertising) to spread phishing pages even more effectively.
When attackers break into a Google Workspace account, they can access almost everything the user touches — company emails, stored files, shared documents, and even authentication tokens that let them stay logged in.
Organizations using more than one identity provider aren’t automatically safer either. If single sign-on settings are weak or loosely configured, attackers can still pivot between systems. Push Security has previously warned about this risk in their research on cross-IdP impersonation.
The Calendly phishing operation also highlights how much smarter these campaigns have become. The attackers use highly convincing messages, AI-driven customization, and techniques specifically designed to block security tools from analyzing the pages.
They also rotate domains frequently, which means relying only on indicators of compromise is no longer enough. Stronger identity checks and behavior-based detection are essential to catch these kinds of threats.
Recommendations
- Enable phishing-resistant MFA such as security keys or passkeys.
- Review and tighten all SSO and identity provider configurations.
- Monitor for unusual login patterns, new device sign-ins, or unexpected OAuth approvals.
- Reduce reliance on IoCs and use behavior-based detection wherever possible.
- Educate users to verify Calendly links, job offers, and any unexpected meeting requests.
Leave A Comment