The researchers said that by using Google Calendar services to send phishing invites, they get beyond spam filters because they appear to be from a genuine Google service. Because the attackers used Google Calendar services, the headers looked entirely authentic and could not be distinguished from invitations sent by a regular Google Calendar user. By sharing a snapshot of the email headers, the researchers demonstrated that the targets' inboxes received the phishing invitation because they passed the DKIM, SPF, and DMARC email security checks.

The threat actors can also cancel the Google Calendar event and attach a note that will be emailed to participants in order to double the number of phishing emails sent to the victim. To further direct targets to phishing pages, this message may additionally contain a link, such as one to Google Drawings.

Phishing attacks on Google Calendar are not new; in the past, Google has implemented safeguards that make it easier for users to reject these kinds of invites. Users will still receive invites automatically on their calendars, though, if a Google Workspace administrator does not activate these safeguards. Researchers advise users to be cautious about all meeting invitations they receive and to disregard them if they ask them to click on a link unless they know or trust the sender.

Impact

• Security Bypass
• Identity Theft
• Credential Theft

Remediation

• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
• Patch and upgrade any platforms and software timely and make it into a standard security policy.
• Employ network intrusion detection and prevention systems to monitor and block malicious network activities.
• Implement network segmentation to limit lateral movement for attackers within the network.
• Never trust or open links and attachments received from unknown sources/senders.
• Implement advanced email filtering to detect and block phishing emails.
• Employ updated and robust endpoint protection solutions to detect and block malware.
• Develop and test an incident response plan to ensure a swift and effective response to security incidents.
• Enhance logging and monitoring capabilities to detect anomalous activities and unauthorized access.
• Conduct regular security audits and penetration testing to identify and address potential vulnerabilities.
• Regularly back up critical data and ensure that backup and recovery procedures are in place.