Attackers abuse fake Calendly invites in a new phishing wave that aims at agencies, advertisers, and in-house marketing teams. The campaign impersonates major global brands and uses advanced Attacker-in-the-Middle techniques to capture credentials and session tokens. These tactics enable rapid takeovers of Google Workspace and Facebook Business accounts connected to high-value advertising platforms. Researchers note that the operation continues to expand and refine its methods, making it a serious threat for any organisation that manages digital advertising budgets.
How the Campaign Operates
Attackers send emails that imitate verified employees from well-known brands. These messages promote job opportunities, meetings, or collaboration requests. Each email contains a link that leads to a Calendly-themed phishing page. The page mimics Calendly’s layout and encourages users to authenticate with Google or Facebook.
The phishing site uses an AiTM toolkit that proxies legitimate login pages. This setup captures passwords and session cookies. The stolen session cookies allow attackers to bypass simple MFA protections. This technique provides direct access to business tools within minutes.
The phishing pages also use domain allow-listing. The login form only works when the victim enters an email from a targeted organisation. This approach filters unwanted traffic and reduces detection. Researchers identified more than 31 unique URLs linked to this long-running effort.
Which Brands Are Being Spoofed
Victims report impersonation attempts from large international companies. These include LVMH, Unilever, Disney, MasterCard, Uber, and Lego. Attackers rebuild the phishing pages with new themes and brand elements when shifting between targets. This creates a tailored appearance that increases credibility and raises success rates.
Why Ad Manager Accounts Are the Main Goal
Compromised ad manager accounts create immediate financial leverage. Attackers can run malicious campaigns, alter payment details, and add unauthorised users. They also use trusted business accounts to distribute malware or promote fraudulent websites through paid ads.
Agencies face even greater risk because a single account can control many client budgets. Hijacked MCC access enables attackers to pivot into multiple environments within minutes.
Technical Traits That Boost Stealth
The campaign relies on visually convincing pages. Calendly-style designs hide the malicious infrastructure behind a clean interface. AiTM functionality steals both credentials and valid tokens. The domain allow-list hides the activity from large numbers of casual visitors. Attackers also reuse infrastructure across different brand lures, which reduces setup time and maintains momentum.
How Organisations Can Reduce Risk
Teams should activate hardware-based MFA for Google Workspace and Facebook Business accounts. This approach stops AiTM-based token theft. Ad manager administrators should monitor for new users, altered payment methods, and unexpected permissions. Email security tools should flag meeting invites from unknown senders. Staff should open Calendly pages by manually entering the address instead of clicking links.
Final Thoughts
The campaign built around fake Calendly invites presents a growing threat for organisations that handle digital advertising. Attackers use AiTM toolkits, detailed brand impersonation, and selective targeting to compromise high-value accounts. Strong MFA, strict access controls, and improved verification practices remain essential for reducing exposure.
