Threat Alert: Sophisticated Calendly Phishing Targets Corporate Ad Manager Accounts
Organizations worldwide are facing a new wave of phishing attacks in which cybercriminals send fake Calendly meeting invites impersonating major global brands such as Unilever, Disney, Mastercard, LVMH, and Uber.
The attackers’ primary target: Ad Manager and marketing accounts—high-value assets that can be used to run malicious ads, spread phishing campaigns, and gain deeper access into corporate systems.
How the Attack Works: A Meeting Invite That Leads to Account Takeover
The campaign begins with a highly convincing email that appears to be a legitimate meeting invitation. The message may include a real brand logo, professional wording, and details that look authentic enough to pass as communication from a recruiter, partner, or vendor.
Once the victim clicks the link, they are redirected to a fake Calendly page designed to look identical to the real one. The page typically includes steps such as entering an email, completing a CAPTCHA, and continuing with Google Sign-In.
The danger lies here:
- The link secretly leads to an Attacker-in-the-Middle (AiTM) site
- Cybercriminals intercept credentials and authentication tokens
- Even MFA/2FA can be bypassed
- Some variants use Browser-in-the-Browser (BitB) pop-ups that perfectly mimic legitimate login windows
After gaining access, the attackers can:
- Hijack Google Workspace accounts, emails, and documents
- Take over Facebook Business and Google Ads accounts
- Launch malicious advertising campaigns
- Sell compromised accounts on underground markets
Why This Threat Is Especially Dangerous for Businesses
Corporate advertising accounts are highly valuable because they:
- Are linked to company billing methods
- Can create ads that reach large audiences instantly
- Enable attackers to run phishing or malware campaigns at scale
- Pose massive financial and reputational risks
Marketing, brand, PR, partnership, and HR teams are particularly vulnerable as they frequently receive meeting invitations and external messages—making these phishing emails harder to detect.
Essential Security Measures for Organizations
- Use Hardware Security Keys
Replace SMS or app-based 2FA for critical accounts. Security keys (e.g., YubiKey) provide strong protection against AiTM attacks.
- Always Check the URL Before Logging In
Do not click login links directly from emails.
If you receive a Calendly link → manually type the official URL into your browser.
- Conduct Awareness Training on “Meeting-Invite Phishing”
Targeted training is crucial for teams that engage heavily with external stakeholders.
- Enable Anomalous Behavior Alerts
Set up alerts for:
- New login attempts from unfamiliar devices or geolocations
- Changes to billing methods in ad accounts
- Addition of new admin users
- Apply Least-Privilege Access
Grant advertising and admin permissions only to users who absolutely need them.
Executive Summary
This attack campaign highlights how modern phishing techniques have evolved beyond simple fake emails. By exploiting something as routine as a meeting invitation, cybercriminals can swiftly compromise high-value business accounts and gain deeper access to the organization.
Businesses should act proactively by:
- Strengthening identity security
- Training employees on new phishing techniques
- Protecting advertising and marketing accounts—now prime targets for attackers
Building strong cybersecurity posture and awareness is the most effective way to defend against new, sophisticated phishing threats.
#bigfishtechnology #bigfishtec #CyberSecurity #PhishingAlert #ThreatIntelligence #CyberAwareness #AccountTakeover #AdManagerSecurity #BusinessSecurity #DigitalThreats #InfoSec #SecurityBestPractices #CyberFraud #CorporateSecurity #DataProtection #OnlineSafety #CyberRisk
