Skip to main content
Abnormal Intelligence

Credential Phishing

TV 2 Play Payment Scam Uses Calendly Open Redirect and SendGrid Click-Tracking Chain

A phishing attack impersonates TV2Play streaming service payment failures while using Calendly open redirect functionality and SendGrid click-tracking to mask the final malicious destination.

June 30, 2025

Attack Overview

Step 1: TV2Play Payment Failure Notification

The attacker sends phishing emails impersonating TV2Play streaming service with failed payment messaging to create urgency.

Attack Library Repo 29 34 26 Jun Image 1
  • Email passes sender authentication checks (SPF, DKIM, DMARC all pass) to appear legitimate.
  • Subject line "[EXT] Betalingen mislyktes – sikre tilgang til TV 2 i dag" indicates external payment failure requiring immediate action
  • Message content in Norwegian informs recipient about payment details needing review for continued service access.

Step 2: Calendly Open Redirect Masks Malicious Link

The phishing link leverages Calendly's open redirect functionality to make the URL appear benign while redirecting to malicious destinations.

Attack Library Repo 29 34 26 Jun Image 2
  • Link initially points to calendly[.]com domain using open redirect parameter (url?q=) to appear trustworthy.
  • Open redirect functionality allows the URL to appear benign while redirecting users to another domain.
  • Calendly's legitimate domain reputation helps bypass security filters that rely on domain-based detection.

Step 3: SendGrid Click-Tracking Conceals Final Destination

The attack uses SendGrid's click-tracking infrastructure to further obfuscate the final phishing destination.

Attack Library Repo 29 34 26 Jun Image 3
  • Full redirect chain: https://calendly[.]com/url?q=https://u2081612.ct.sendgrid.net/ls/click?upn=u001.lHJMg5DdyyGLZlhWcfvawi
  • SendGrid's widely trusted email delivery service provides click-tracking domain to mask true destination.
  • Multi-layer redirection chain helps attacker obfuscate final phishing destination and evade detection systems.

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for several reasons, including:

  • Email sent from domain passing sender authentication checks, appearing legitimate to security filters.
  • Open redirect functionality leverages Calendly's trusted domain to make phishing links appear benign while redirecting to malicious destinations.
  • SendGrid's click-tracking infrastructure masks the true destination using widely trusted email delivery service domain reputation.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including:

  • Behavioral AI flagging never-before-seen senders, unusual email content, and URLs as anomalies that enable detection of novel attacks.
  • Content analysis and natural language processing recognizing urgency and financial implications as indicators of financial-themed attacks.
  • Detection of redirect chain patterns and suspicious URL structures despite legitimate infrastructure usage.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Classification

Credential PhishingLink-basedBrandCredential Theft

Stop these attacks at your organization

See how Abnormal's behavioral AI detects the threats this digest covers — before they reach inboxes.

Request a Demo