New Threats to Online Applications
With the uptick of remote working from Covid-19, more and more companies are relying on applications like Zoom and Calendly to get through their workday. These apps have become the latest platform to be utilized by scammers and fraudsters. How might they be accessing these platforms?
By targeting Microsoft users. Microsoft users are being tricked into handing over their accounts by threat actors abusing the online calendar app Calendly.Calendly, which is widely used thanks to its integration with Zoom, is a completely free app that businesses and consumers can use to organize events.
Phishing – which is the method used in this scam – has become an increasingly frequent problem for businesses in the US and beyond, particularly since the pandemic.
Microsoft Accounts Targeted
Calendly-generated emails are not an unusual or suspicious sight to see in any inbox, and these emails are no different in appearance, being sent legitimately from the Calendly platform. However, the ability to add any link to an invitation email, using the “Add Custom Link” function, is being abused by cyber criminals.
The malicious users are sending Calendly-generated emails, claiming that new fax documents are waiting for the recipient, but the link hidden inside a “Preview Documents” button, if clicked, will open up a fake Microsoft login page that harvests a victim’s account credentials.
The fake login box even asks victims to type in their password twice, claiming they entered it wrong initially, just to save the scammers time sifting through emails with typos.
Calendar apps like Calendly are often left open in stray tabs and can integrate with other apps or programs, making attacks through their platforms more subtle and convincing than traditional phishing attempts.
How Can I Protect Business from Phishing?
It’s always a good idea to have antivirus software installed – phishing is one method that is commonly used to distribute malware, which could find its way onto your computer.
But the best defense against Phishing is awareness – knowing the risks are there is half the battle. Then, you can learn to look out for suspicious links or instructions, and learn the common tricks to distinguish between shady and non-shady emails, apps and phone calls.
In most cases, there are telltale signs that an email is a phishing attempt – misspelled words, outdated logos, direct (and usually unexpected) demands such as “click here to save your account”, or accusations like “you owe Microsoft $5,000 in subscription fees”, for instance. In the case of the Calendly attack, the biggest red flag is the demand for Microsoft Credentials, simply to view something in Calendly.
Regular training for staff is important, and some companies go as far as to send out mock phishing emails on a regular basis, to see if staff really can spot these small yet telling signs.
Phishing has expanded rapidly as business communications have diversified, so whether you’re using Zoom, Calendar apps, or other applications, keep your wits about you. Contact ASIS and we can make sure your business applications are safe and secure.