A recently analyzed phishing campaign has been observed using highly customized Calendly-themed lures and Attacker-in-The-Middle (AiTM) toolkits to compromise accounts used to manage business advertising platforms.
According to new research from Push Security, the campaign targeted Google Workspace and Facebook Business accounts, relying on multi-stage social engineering and advanced detection-evasion techniques.
Push Security said they were alerted after a customer received a spear-phishing email impersonating a legitimate recruiter from LVMH. The message referenced personal details and delivered a follow-up link only after the victim replied, an approach designed to bypass email scanning tools that flag messages containing suspicious links. The link routed victims to a fraudulent Calendly page, then to an AiTM site that captured Google Workspace credentials.
The researchers observed that the phishing infrastructure blocked attempts to analyze it. The pages rendered full functionality only when accessed using an approved email domain, preventing security teams from replicating the flow. Some pages also blocked access from VPNs and browser developer tools.
Max Gannon, Cyber Intelligence Team Manager at Cofense, told Expert Insights these techniques reflected a broader trend: “With the use of AI, it is becoming increasingly easy for threat actors to generate advanced and convincing email campaigns and phishing pages […] We can expect to see more campaigns like this that have the appearance of a highly customized campaign.”
Additional Variants and Security Recommendations
Push Security identified additional phishing variants impersonating brands including Lego, Mastercard, Uber, and Unilever.
One newer variant combined Google and Facebook targeting and used a browser-in-the-browser pop-up to spoof legitimate login URLs, an approach similar to recent “Sneaky2FA” attacks.
The investigation found at least 31 related URLs dating back more than two years, suggesting a long-running operation focused on ad-management account takeover.
According to the researchers, access to these accounts enables threat actors to run malicious ads, deliver malware, or harvest credentials through malvertising campaigns. Google recently advised advertising agencies to enable alerts for new accounts added to Manager Accounts.
The researchers noted that compromising a Google Workspace account could give attackers broad access to downstream applications through single sign-on (SSO). They warned that Indicators of Compromise (IoC) were of limited defensive value because domains were rapidly created and taken offline throughout the campaign.
