Skip to main content
Abnormal Intelligence

Credential Phishing

Attackers Exploit Google Calendar Invites to Deliver Phishing Links via Google Drawings

A scam uses Google Calendar invite notifications and embedded Google Drawings to redirect targets to a fraudulent Bitcoin-themed phishing site.

January 24, 2025

Attack Target Summary

Attack Overview

Step 1: Email

The attack starts with a Google Calendar invite notification sent to the target. The event details include a link to a Google Drawing that contains a CAPTCHA image.

Attack Library Repo 10 9 Jan Image 1
  • Invite appears to be shared from a Gmail account.
  • The message claims the recipient has access to a new calendar event.
  • Embedded link points to a Google Drawing.

Step 2: Fake CAPTCHA with Redirect

Inside the Google Drawing is a clickable image resembling a Google CAPTCHA. When clicked, it redirects the user to a malicious website related to cryptocurrency scams.

Attack Library Repo 10 9 Jan Image 2
  • The image is made to look like a CAPTCHA verification prompt.
  • Clicking it sends users to an external Bitcoin scam site.
  • The phishing flow mimics a secure interaction.

Step 3: Scam Site Hosted on Trusted Platform

The redirect leads to a fraudulent form page hosted on Adobe Creative Cloud, designed to collect personal or financial information from the target.

Attack Library Repo 10 9 Jan Image 3
  • Hosting on Adobe Cloud lends credibility.
  • Site mimics payout forms and withdrawal instructions.
  • Targets are lured into providing sensitive data under financial pretenses.

Step 4: Final Destination (Spoofed Microsoft Login)

Attack Library Threat Actors Exploit Docusign 6 Nov Portal

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for several reasons, including:

  • Sent from a domain that passes SPF and DMARC checks.
  • Calendar invite content is often not deeply analyzed by email security tools.
  • Final phishing destination is hosted on a legitimate cloud platform.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including:

  • Anomalous sender behavior and unusual email content.
  • Presence of embedded links within calendar event details.
  • Detection of urgent or financial themes tied to social engineering tactics.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Classification

Credential PhishingLink-basedBrandCredential Theft

Stop these attacks at your organization

See how Abnormal's behavioral AI detects the threats this digest covers — before they reach inboxes.

Request a Demo