Abnormal Attack Stories: Calendar Invite Phishing

June 18, 2020

Abnormal Security

Abnormal Security

In this attack, attackers are impersonating a company’s security team and are sending out phishing attacks contained within calendar application invites.

Quick Summary

Platform: Office 365
Email Security: FireEye
Mailboxes: 15,000 to 20,000
Victims: Employees
Payload: Phishing
Technique: Impersonation

What was the attack?

  • Setup: Financial institutions are always common targets for attackers. Access to a user’s sensitive information would allow an attacker to commit identity theft as well as steal any money associated with the account. Many of these companies have stringent regulations and security in order to protect users and their financial holdings. However, attackers are continually finding ways to compromise users’ accounts.
  • Email Attack: This attack impersonates a Wells Fargo Security Team member, stating that the user has been sent a new security key to protect their account. The body of the message urges the user to open the attachment and follow the instructions, or risk having their account suspended.
  • Payload: Interestingly, the malicious attachment in the message is an .ics file, utilized by calendar applications to store scheduling information. Contained within the event description is a link to a Sharepoint page which directs the users to click on another link to secure their account. This link leads to a fake phishing page for Wells Fargo, where users are prompted to enter sensitive information such as their username, password, PIN, and account numbers. 
  • Result: Any credentials and information submitted through the form will be sent directly to the attacker, who can then use this information to take over the victims’ accounts and transfer funds out of their accounts.

Why is this attack effective?

  • Urgency: The email pretends that the user must update their security key as soon as possible, or risk their account being suspended. It urges the user to quickly open the attachment and follow the instructions. When the user does open the attachments and arrives at the fake login page, their credentials will be harvested by the attacker.
  • Hidden Payload: The malicious link was hidden inside of the description of an .ics (calendar invite) file, which are often thought of to be benign. Additionally, the message instructs users to open the attached file using their mobile device. Here, the attacker is attempting to exploit a setting where the event will automatically be added to a user’s calendar. Most of these programs will send an automatic notification to the user and attackers hope that potential victims will click on the event and follow the malicious link. As a result, these attacks are more likely to be seen by recipients.

Targeted Email Attack

(click to enlarge)

Payload

(click to enlarge)

Phishing Page

(click to enlarge)

Techniques to Detect

(click to enlarge)

Subscribe to receive twice-monthly updates of the latest attacks we've detected in the wild:

Related content

Like our article? Share our content