Calendly-Themed Phishing Attacks Used by Hackers to Steal Google Workspace Accounts

A recent large-scale phishing campaign has been uncovered, targeting Google Workspace and Facebook Business account users through convincing Calendly-themed pages.

The operation, analyzed by Push Security, demonstrates an advanced blend of social engineering and detection evasion tactics aimed primarily at taking over business ad management accounts.

Targeting Google and Facebook Accounts

The campaign is organized into several variants, the first of which targeted Google Workspace accounts with fake job recruitment messages.

In one case, a victim received what appeared to be an authentic job offer from “Inside LVMH,” the talent arm of French luxury group LVMH.

The email, written in fluent language and impersonating a real recruiter, included a follow-up Calendly link to schedule a call.

The link redirected the victim to a phishing page that appeared to be a legitimate Calendly login, prompting them to sign in with their Google account.

The site used an Attacker-in-the-Middle (AiTM) toolkit to intercept credentials and session cookies, enabling complete account hijacking.

Attackers employed additional evasion layers, including CAPTCHA checks and domain-based access restrictions, ensuring only specific victim domains could view the malicious content. This technique thwarted attempts by analysts and automated scanners to review the payload safely.

Further investigation revealed multiple phishing pages impersonating brands such as Lego, Mastercard, Uber, and LVMH.

Another variant focused on Facebook Business accounts, reusing over 30 phishing URLs from an older campaign that had been active for more than 2 years.

A third variant combined elements of both, featuring a Browser-in-the-Browser (BitB) pop-up a method used to spoof legitimate login windows and mask malicious URLs.

Why Business Ad Accounts Are the Target

Researchers noted that this campaign is part of a growing trend of credential theft targeting accounts that manage paid digital ads.

These platforms often grant high privileges across multiple brands and budgets, making them prime targets for cybercriminals.

Access to such accounts can be exploited to make fraudulent ad purchases, deliver additional malware, or run large-scale malvertising operations.

Google recently warned advertising agencies managing multiple client accounts about this threat, urging stronger account monitoring, particularly for new user additions to Manager Accounts.

Attackers have also been observed using Google Search ads known as malvertising to distribute phishing and malware campaigns more effectively.

By compromising Google Workspace accounts, attackers potentially gain control of sensitive business data, email, files, and authentication tokens.

Even organizations using multiple identity providers are vulnerable if single sign-on configurations are loosely secured, a risk highlighted in Push Security’s prior research on cross-IdP impersonation attacks.

The Calendly-themed phishing campaign shows cybercriminals are becoming more sophisticated, combining realistic lures, AI-generated personalization, and advanced anti-analysis defenses.

Its rapid domain turnover also limits the usefulness of traditional IoC-based detection, underscoring the need for behavior-based and identity-focused security measures.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post Calendly-Themed Phishing Attacks Used by Hackers to Steal Google Workspace Accounts appeared first on Cyber Security News.