https://pushsecurity.com/blog/uncovering-a-calendly-themed-phishing-campaign
There’s a new phishing campaign that leverages fake Calendly invitations to hijack ad manager accounts. The attack targets users of popular platforms like Facebook, Google, and Microsoft Ads, with the goal of gaining unauthorized access to their advertising accounts.
The campaign works by sending victims a seemingly legitimate Calendly invitation, which appears to come from a trusted brand or organization. When the user clicks on the link, they are directed to a spoofed website that prompts them to enter their ad platform credentials, effectively handing over the keys to their advertising accounts. Once the attackers gain access, they can then use the compromised accounts to run fraudulent ads and generate illicit revenue.
Users are urged to exercise caution when receiving unsolicited calendar invitations, and to always verify the authenticity of the sender before clicking on any links or entering sensitive information. Additionally, it is recommended to implement strong access controls and monitor their accounts for any suspicious activity.