Cybercriminals are exploiting Google Calendar and other Google services like Gmail, Forms, and Drawings in a large-scale phishing campaign, researchers from Check Point have reported. The campaign manipulates the trusted Google tools to bypass email security measures, allowing attackers to steal credentials and commit financial fraud.

Over a four-week period, more than 4,000 phishing emails linked to this campaign were observed, impersonating 300 brands and targeting users across various sectors, including education, healthcare, and banking.

“The attackers utilized Google Calendar services, making the headers appear completely legitimate and indistinguishable from invitations sent by any typical Google Calendar user,” Check Point researchers explained to BleepingComputer. Messages often include malicious calendar invites or event notices with embedded links.

Initially, these links directed victims to Google Forms, but as security solutions adapted, attackers began using Google Drawings. Victims who click on these links are redirected to phishing pages where they are asked to click on another link, often disguised as a reCAPTCHA or support button. They are then sent to crypto landing or support pages where they are prompted to enter personal and financial information.

“The calendar spam on display in the recent campaigns is annoying but generic phishbait,” said Stu Sjouwerman, CEO of KnowBe4, in a statement to Forbes. He warned that attackers only need a Gmail address to send malicious invites, which are automatically added to the recipient’s calendar by default. Sjouwerman advised users to adjust their Google Calendar settings to prevent automatic addition of invitations and events from Gmail.

Google has responded by recommending users enable the “known senders” setting in Google Calendar, which flags invitations from unknown contacts. “This setting helps defend against this type of phishing by alerting the user when they receive an invitation from someone not in their contact list and/or they have not interacted with their email address in the past,” a Google spokesperson stated.

Experts recommend advanced email security solutions, multi-factor authentication, and employee training to counter phishing threats. Individuals should also scrutinize suspicious invites and adopt robust security practices to stay safe.