An ongoing phishing campaign impersonates major consumer brands in Calendly-style meeting invites to steal Google Workspace and Facebook business account credentials, discovered by Push Security.
Attackers send fake meeting invites that impersonate legitimate recruiters and lead recipients to a counterfeit Calendly page. The landing page presents a CAPTCHA and then an adversary-in-the-middle (AiTM) phishing flow intended to capture Google Workspace login sessions; the emails are believed to have been generated with AI and to impersonate more than 75 brands, researchers found.
Access to marketing and ad manager accounts gives attackers a platform for malvertising campaigns, AiTM phishing, malware distribution and ClickFix attacks, and enables geo, domain and device targeting that supports watering-hole style operations. Compromised accounts can also be resold, and Google Workspace access may extend into enterprise environments through single sign-on and permissive identity provider configurations, the analysis says.
Push Security reported 31 unique URLs supporting the campaign and noted multiple variants. Some pages targeted Facebook Business credentials by impersonating brands such as Unilever, Disney and Lego, while a more recent variant used Browser-in-the-Browser pop-ups displaying legitimate URLs to harvest both Google and Facebook credentials. The phishing pages also include anti-analysis measures, including blocking VPN and proxy traffic and preventing the opening of developer tools.
Simultaneously, investigators “observed another malvertising campaign” that placed malicious sponsored results in searches for “Google Ads,” directing victims to a Google Ads-themed phishing landing page that then redirected to an AiTM page mimicking Google’s login screen; Push Security found instances hosted on Odoo and sometimes routed via Kartra, the report states.
Because AiTM techniques can bypass two-factor protections, the report recommends that owners of high-value accounts use hardware security keys, verify URLs before entering credentials and drag login pop-ups to the edge of the browser window to check legitimacy. The researchers confirmed the campaign targeted Google MCC ad manager accounts after speaking with an impacted organisation; the report does not disclose a total victim count.