Cybercriminals were observed manipulating the emails to Google Calendar invites to fool users into clicking on malicious links or attachments that lead to the theft of corporate and personal data.
Check Point researchers said Dec. 17 that after an individual clicks on the malicious link, the stolen data gets applied to financial scams in which cybercriminals execute credit card fraud, unauthorized transactions or similar, illegal activities. The stolen data also gets used to bypass security measures on other accounts, leading to further compromise.
The threat actors targeted the popular Google app because Google Calendar has more than 500 million users worldwide and is available in 41 languages.
According to the Check Point researchers, cybercriminals modify “sender” headers, making a Google Calendar email invite look as if it was sent via Google Calendar on behalf of a legitimate person. The initial emails include a malicious link or Calendar file with a link to Google Forms or Google Drawings. Roughly 300 brands have been leveraged by the attackers in this campaign, with the researchers observing more than 4,000 of these phishing emails in a four-week period.
While this attack method isn’t revolutionary, its effectiveness lies in exploiting trusted Google services that millions rely on daily, said Stephen Kowski, Field CTO at SlashNext Email Security. Kowski said smart attackers know that by leveraging legitimate platforms like Google Calendar, they can sail past traditional security controls that would typically catch malicious content.
“A practical defense starts with proper Google Calendar configuration: specifically adjusting the ‘Automatically add invitations’ setting to ‘No’ and unchecking ‘Show declined events’ in view options,” said Kowski. “Beyond technical controls, security teams should focus on real-time detection of suspicious calendar invites, especially those containing external links or unusual sharing patterns that could indicate credential harvesting attempts.”
Heath Renfrow, co-founder and CISO at Fenix24, said organizations that rely heavily on Google services, such as Gmail, Calendar, and Sheets, face significant challenges in mitigating the risks of phishing attacks originating from these platforms. However, Renfrow said businesses not dependent on Google services have an opportunity to adopt proactive measures.
“By blacklisting Gmail and other Google-related applications across their networks, organizations can effectively reduce the attack surface for phishing attempts,” Renfrow said. “This strategy involves limiting email access exclusively to the organization’s authorized solution—such as Microsoft Outlook—and ensuring all other email services are blocked on corporate devices, even when they operate outside the corporate network.”
Lawrence Pingree, vice president at Dispersive, pointed out that hackers are constantly probing various methods to execute their attacks, and this one serves as a great example of an attack that takes advantage of a gap in the security inspection of Google Calendar invites.
“Users are always the last mile of defense, so don't open what you don't expect,” said Pingree.
A Google spokesperson added: "The Check Point report has good guidance for senders, and as we shared with them: We recommend users enable the 'known senders' setting in Google Calendar. This setting helps defend against this type of phishing by alerting the user when they receive an invitation from someone not in their contact list and/or they have not interacted with from their email address in the past."
