A coordinated phishing operation is impersonating major brands through Calendly styled invites to steal access to Google Workspace and Meta business tools.
According to a report from BleepingComputer, researchers have uncovered a phishing campaign that uses fake Calendly invitations impersonating well-known companies, including Unilever, Disney, Mastercard, LVMH, Uber, and Lego. The emails claim to come from recruiters and direct recipients to a Calendly-themed page that leads to an adversary in the middle login capture page. The goal is to harvest Google Workspace and Facebook Business credentials, including access tokens for ad manager accounts. The researchers identified more than thirty distinct URLs tied to this activity and confirmed that the operators target Google MCC environments and Meta Business accounts.
The lure begins with a message that appears to be a genuine scheduling request. After clicking the link, the victim is taken through a CAPTCHA and then redirected to a page that imitates familiar corporate login experiences. Several variants use Browser in the Browser techniques to display pop-up windows that resemble authentic Google or Meta sign-in prompts. The phishing pages restrict developer tools, block VPN traffic, and utilize dynamic content to make detection more challenging. Researchers also observed a related malvertising effort in which people searching for Google Ads encountered fraudulent sponsored results that redirected to a similar adversary in the middle pages.
Researchers noted that the level of brand impersonation and the number of tailored phishing domains suggest a coordinated effort. The organization also noted that ad manager environments are sought after because they allow precise targeting for follow-on attacks. Impacted organizations told researchers that the phishing emails looked credible and used accurate employee details. The report warned that many of the lures were produced in bulk and included customised recruiter profiles for each brand theme.
Attackers are relying on tools that blend into everyday corporate workflows, a trend also noted in Microsoft’s 2024 Digital Defense Report. Calendar invites rarely trigger suspicion, especially when they appear to come from familiar brands or recruiters. That built-in trust gives adversary-in-the-middle toolkits an easy entry point to steal Google Workspace or Meta authentication tokens before MFA can secure the session. The use of CAPTCHA gates, browser-in-the-browser prompts, and recruiter-style profile themes shows how quickly these operations can scale when attackers assemble them from modular phishing kits.
Organizations need inbound protection that can flag suspicious sender behaviour, impersonation patterns, and credential-themed email content before staff interact with it. Paubox Inbound Email Security adds that layer by using generative AI and behavioural analysis to detect spoofed brand emails, unusual scheduling-related lures, and messages built to harvest logins, even when they pass traditional filters. It reduces the chance that these phishing attempts ever make it to users who manage sensitive advertising or cloud assets.
Control of these accounts allows attackers to run paid campaigns that distribute phishing links or malware to targeted audiences.
Scheduling platforms are familiar and trusted, so recipients often click without inspecting sender details.
Confirm sender email addresses, check the underlying URL before selecting a time slot, and avoid entering credentials on pages that appear within a pop-up window.