A new attack method has been identified that uses a combination of Google Calendar, Drawings, Forms, and Gmail to attempt to phish users and circumvent email security policies.

As Forbes reports, there have been approximately 2,300 attacks using this technique in a two-week period. The threat actors behind these attacks began by modifying the sender header to make it appear that the email was sent via Google Calendar from a known legitimate individual. Initially, this method was used to exploit a feature within Google Calendar to link to malicious Google forms, and then, after realizing that security products could flag these malicious calendar invitations, Google Drawings' evolved to match the functionality.

Malicious forms and drawings show a different link, often a fake reCAPTCHA or support button, but in any case, the ultimate goal is always payment fraud. So far, at least 300 brands have been impersonated by hackers in this way, attempting to phish their victims. Stu Sjouwerman, CEO and founder of KnowBe4, a human risk management specialist, warns that an attack campaign is underway to target Google users via calendar invitations, stating: “An attacker only needs a Gmail address to send an invitation. All they need is a Gmail address, and the event is added to their calendar by default.

A report written by Sjouwerman in 2019 details this type of attack.

Simply head to Google Calendar's settings menu and switch the option to automatically add invitations to “Only show invitations I have replied to.” Next, head to the event options in Gmail's settings and uncheck “Automatically add events from Gmail to my calendar.”

Google advises Google Workspace subscribers to use email verification to schedule appointments to prevent unwanted meetings. This way, guests can be asked to verify their email address before scheduling an appointment in Google Calendar. Google also recommends that users enable the Known Senders setting within Google Calendar. This setting helps protect users from this type of phishing attack by alerting them if they receive an invitation from someone who is not in their contact list or who they have not previously interacted with at that email address.

Also, to protect yourself from common phishing attacks, best practices apply: The easiest way to protect yourself from phishing is to avoid clicking on emails or messages from unknown senders. Also, check your company's policies and double-check the sender's email address: is this sender a well-known sender? It is also important to use the best antivirus software available and keep it up-to-date. Likewise, when choosing an antivirus, make sure you get a security suite that includes access to the best VPNs with browser-level privacy protection included. Also check that your mobile device is protected against malware and threats. We have recommendations for the best Android antivirus apps, but due to Apple's restrictions, there is no best iPhone equivalent.

Abusing Google's services to distribute malware and launch attacks against unsuspecting users is nothing new. However, if you are not aware of these tactics, you or someone you know could easily fall for them. For this reason, even if you consider yourself security-savvy and cyberhygienic, it is important to stay up to date on the latest attack methods used by hackers.