Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Calendly Actively Abused in Microsoft Credentials Phishing

Calendly Actively Abused in Microsoft Credentials Phishing

Phishing actors are actively abusing Calendly to kick off a clever sequence to trick targets into entering their email account credentials on the phishing page.

Calendly is a very popular free calendar app with Zoom integration, used for scheduling meetings and appointments, and is commonly used by organizations to send out invitations for upcoming events.

As such, using it to send out malicious links blends very well with the daily work background of most victims, so it’s unlikely for these attempts to raise suspicions.

Also, emails generated and sent by legitimate platforms are commonly considered trustworthy by email security tools, so they tend to reach targetted inboxes rather than the spam folder.

Finally, Calendly allows new users to register on the platform without entering credit card information or any other identification proof, making it an easy platform to abuse.

Also Read: AI Auditing Framework: Draft Guidance for Organizations

The first signs of Calendly abuse started towards the end of February, as reported by analysts at INKY, who have shared their report with Bleeping Computer before publication.

Abusing Calendly for phishing attacks

The phishing attack begins with phishing emails generated on the Calendly platform that inform the recipient they received new Fax documents.

To create these emails, the threat actors abused a Calendly feature that allows users to create customized invite emails and an “Add Custom Link” function to insert a malicious link on the event page.

That link is embedded on a “View Documents” button and injected into the calendar screen, so if clicked, it takes the recipient to the actual phishing landing page used to steal login credentials.

Malicious link embedded on the Calendly invite
Malicious link embedded on the Calendly invite (INKY)

INKY discovered that no matter the lures in this phishing campaign, the landing page always impersonated a Microsoft login form with the document supposedly blurred in the background.

Any credentials entered in the dialog will go straight to the threat actors, while the victim will be prompted to enter them again due to supposedly entering a wrong password.

Also Read: How to Make Data Protection Addendum Template in Simple Way

Fake error prompting the victim to re-enter their credentials

Fake error prompting the victim to re-enter their credentials (INKY)

This is a widespread trick in phishing campaigns today, as forcing the user to enter their credentials twice minimizes the chances of stealing passwords with typo errors and sometimes even helps in snatching two account credentials.

After the second attempt, the victim is automatically redirected to the domain of the email account they entered to minimize the chances of the victim realizing the compromise.

HTML code for the dynamic redirection
HTML code for the dynamic redirection (INKY)

What to watch out for

Although this is the first time phishing actors have abused the Calendly platform, all other tricks employed in this campaign are pretty standard.

These include generating malicious messages sent from a legitimate online service, asking the user to log in to view a blurred document in the background, forcing the victims to enter their credentials twice, and redirecting them to a trustworthy website at the end.

Two obvious signs of fraud in this campaign are the requirement to use Microsoft SharePoint credentials to view Calendly-hosted content and the URL on the phishing page, which is neither on the Microsoft nor on the Calendly domains.

Finally, using a password manager is an easy way around all these tricks, particularly beneficial to careless users, as if the URL on the login page doesn’t match the one stored in the vault, the credentials won’t be filled out.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us