Fake Calendly Invites Spoof Top Brands to Hijack Ad Manager Accounts
Summary:
A long-running and increasingly sophisticated phishing operation is targeting Google Workspace and Facebook Business accounts, specifically those tied to business ad management. The campaign begins with highly tailored, multi-stage job-recruitment lures impersonating brands like LVMH, LEGO, Mastercard, and Uber, using Calendly-themed links to avoid email scanners. Victims are funneled into Attacker-in-the-Middle credential-harvesting pages with domain-validated access controls, anti-analysis logic, and later variants that adopt Browser-in-the-Browser pop-ups to mask the real phishing URL. The operation includes at least three evolutionary variants spanning more than two years, with 31+ URLs tied to recycled Facebook-ad-manager phishing templates. The attackers’ sustained targeting suggests a broader strategy: hijacking ad accounts to quietly run malvertising campaigns, deliver AiTM phishing and malware at scale, and monetize stolen access. As malvertising becomes a major initial-access vector, bypassing email-based defenses and enabling geo/device-specific targeting, ad platforms and Google Workspace continue to represent high-value entry points for cybercriminals.
Security Officer Comments:
This campaign reflects a mature, iterative phishing operation that understands the weaknesses of enterprise authentication workflows, particularly where Google Workspace serves as the organizational identity backbone. The use of multi-stage engagement, brand-accurate social engineering, domain-restricted AiTM pages, and BITB spoofed login windows demonstrates a deep focus on evading automated scanners and human suspicion. Targeting ad-management accounts is strategic: these accounts enable attackers to weaponize legitimate business advertising channels, blending malvertising with credential-harvesting to expand their reach and create secondary revenue streams. The operation also mirrors broader ecosystem trends, criminal groups pivoting from traditional email-phishing toward search-engine and social-media-based delivery channels to bypass MFA and secure email gateways. Its anti-analysis controls, IP blocking, and use of real employee identities make the campaign difficult for defenders to investigate, reinforcing that attackers are actively tuning their TTPs based on what detection tools see.
Suggested Corrections:
Link(s):
https://www.bleepingcomputer.com/ne...oof-top-brands-to-hijack-ad-manager-accounts/
https://pushsecurity.com/blog/uncov...ishing-campaign-targeting-business-ad-manager
A long-running and increasingly sophisticated phishing operation is targeting Google Workspace and Facebook Business accounts, specifically those tied to business ad management. The campaign begins with highly tailored, multi-stage job-recruitment lures impersonating brands like LVMH, LEGO, Mastercard, and Uber, using Calendly-themed links to avoid email scanners. Victims are funneled into Attacker-in-the-Middle credential-harvesting pages with domain-validated access controls, anti-analysis logic, and later variants that adopt Browser-in-the-Browser pop-ups to mask the real phishing URL. The operation includes at least three evolutionary variants spanning more than two years, with 31+ URLs tied to recycled Facebook-ad-manager phishing templates. The attackers’ sustained targeting suggests a broader strategy: hijacking ad accounts to quietly run malvertising campaigns, deliver AiTM phishing and malware at scale, and monetize stolen access. As malvertising becomes a major initial-access vector, bypassing email-based defenses and enabling geo/device-specific targeting, ad platforms and Google Workspace continue to represent high-value entry points for cybercriminals.
Security Officer Comments:
This campaign reflects a mature, iterative phishing operation that understands the weaknesses of enterprise authentication workflows, particularly where Google Workspace serves as the organizational identity backbone. The use of multi-stage engagement, brand-accurate social engineering, domain-restricted AiTM pages, and BITB spoofed login windows demonstrates a deep focus on evading automated scanners and human suspicion. Targeting ad-management accounts is strategic: these accounts enable attackers to weaponize legitimate business advertising channels, blending malvertising with credential-harvesting to expand their reach and create secondary revenue streams. The operation also mirrors broader ecosystem trends, criminal groups pivoting from traditional email-phishing toward search-engine and social-media-based delivery channels to bypass MFA and secure email gateways. Its anti-analysis controls, IP blocking, and use of real employee identities make the campaign difficult for defenders to investigate, reinforcing that attackers are actively tuning their TTPs based on what detection tools see.
Suggested Corrections:
- Harden Google Workspace & Facebook Business access: Enforce phishing-resistant MFA (passkeys, security keys), disable password-based logins for admins, and restrict who can manage MCC or Business Manager permissions.
- Create strict alerting rules for ad-platform changes: Enable notifications for new MCC accounts, new ad-spend authorizations, token refreshes, and role delegations across Google and Facebook ad managers.
- Block malvertising paths: Deploy browser-level protection that blocks known malvertising domains, and enforce safe-search or allowlisting for employee accounts using business devices.
- Implement advanced link validation: Use tools that inspect AiTM behavior, BITB spoofing, and domain-restricted phishing logic—traditional URL scanners will miss these pages.
- Train users on multi-stage and job-themed phishing: Emphasize that attackers increasingly delay links, impersonate real recruiters, and use Calendly-style scheduling links to bypass scrutiny.
Link(s):
https://www.bleepingcomputer.com/ne...oof-top-brands-to-hijack-ad-manager-accounts/
https://pushsecurity.com/blog/uncov...ishing-campaign-targeting-business-ad-manager