The warning was given out by cybersecurity researchers from INKY which detailed the phishing campaign first detected toward the end of February 2022.
It all starts with a hijacked email account, which uses a compromised identity to send out a message containing an invitation to “view newly received documents”, via a link.
On the surface, it is a Calendly calendar link. Calendly was most likely used, INKY believes, due to the fact that anyone can create a free account, without needing to enter their credit card details.
Here’s where the plot thickens. Calendly’s invite pages are customizable. That allowed crooks to create a fake fax document notification, with all of the usual fax attributes (number of pages, or file size, for example), after which they used the Add Custom Link feature to insert a malicious link on the event page.
Clicking on the “preview document” link takes the victim to the credential-harvesting page. In this particular example, the page is an impersonation of Microsoft. Hovering over the link shows where it really leads, though: https://dasigndesigns[.]com/ss/updation/index.html, a hijacked site, listed in Google, Firefox, and Netcraft threat feeds, INKY reminds.
Should the victim enter their login credentials here, they would end up with the attackers, while the victim would see an error message claiming an incorrect password was entered. After the second attempt, the victim would be redirected to their own domain, something the researchers described as a “clever touch” that minimizes suspicion.
INKY, in this example, was redirected back to inky.com