Calendly... The Latest Cyber Weapon. Let's Look At How Fake Meeting Invites Are Being Used To Hijack Business Ad Accounts at Scale.

Calendly is one of the most trusted scheduling tools in business. We use it to coordinate vendor calls, interviews, demos, and everything in between. That trust, and our instinct to click without suspicion, has made Calendly the latest battleground in a highly targeted phishing campaign now impersonating over 75 major global brands, including Disney, MasterCard, LVMH, Uber, and Unilever.

According to new reporting from Push Security, attackers are weaponizing fake Calendly meeting invites to steal Google Workspace and Facebook Business Manager credentials, giving them unrestricted access to corporate ad accounts, executive data, and in some cases, enterprise systems tied to SSO. This campaign isn’t sloppy. It’s not the “Nigerian prince” email. It is professional, AI-crafted, brand-accurate, and psychologically engineered to succeed.

And it’s working...

Marketing & Ad Accounts Are Suddenly High-Value Targets

Most organizations don’t realize how lucrative a compromised marketing account can be for cybercriminals.

1. Direct access to advertising platforms -->

A hijacked Google or Facebook ad account can be used to:

• Launch malvertising campaigns

• Funnel traffic to AiTM phishing sites

• Distribute malware

• Run ClickFix attacks

• Spread impersonation ads targeting customers

Attackers can spend your ad dollars to run their campaigns.

2. Deep SSO & enterprise connectivity -->

Many marketing accounts tie directly into:

• Google Workspace

• Slack

• CRM systems

• SharePoint

• IdP-integrated SaaS applications

Meaning a compromised ad manager account may provide a privileged pivot into your enterprise.

3. Lower security maturity -->

Marketing tools often slip through the cracks:

• Weak or missing MFA

• Shared team accounts

• Poor logging

• Limited SOC visibility

• Less security awareness training than IT or finance

Attackers know this, and they capitalize on it!

4. High resale value -->

Compromised business accounts are quickly sold on underground markets. A single Google Ads or Facebook Business account can fetch hundreds, sometimes thousands, of dollars.

Inside the Attack... How Fake Calendly Invites Hijack Trust

This campaign follows a simple but brutally effective playbook-->

Step 1: Impersonate a recruiter from a top-tier brand

Attackers scrape public profiles and spoof legitimate recruiters, complete with:

• Real names

• Accurate titles

• Real corporate branding

• AI-generated headshot variants

It’s polished enough that even trained professionals pause before questioning it.

Step 2: Send a Calendly-style meeting invite

The email:

• Looks exactly like a legitimate Calendly template

• Uses believable context (interview opportunity, partnership discussion, vendor evaluation)

• Leverages brand trust to bypass suspicion

The victim believes they’re scheduling a legitimate call.

Step 3: Redirect victims to a phishing page

The landing page:

• Is branded to match the impersonated company

• Spoofs a recruiter’s real profile

• Prompts the victim to “sign in with Google” or “sign in with Facebook”

• Captures credentials instantly

Many of these pages include AiTM (Adversary-in-the-Middle) code to bypass MFA.

Step 4: Immediate account takeover

Once inside, attackers move fast:

• Change recovery emails

• Disable notifications

• Export account details

• Deploy malicious ads or scripts

• Scout linked enterprise services

In a matter of minutes, they weaponize the environment.

Why These Attacks Are Working

This campaign succeeds because it exploits three things:

1. Trust in familiar platforms

Calendly is universally recognized. People trust it. That trust is now being used against us.

2. AI-enhanced phishing sophistication

Attackers are using AI to:

• Mimic writing tone

• Create flawless branding

• Generate deepfake headshots

• Personalize messaging at scale

The result... phishing emails more polished than many real corporate emails.

3. Security blind spots around marketing systems

Most SOCs:

• Don’t monitor ad accounts

• Don’t enforce MFA in marketing tools

• Don’t have logging on these platforms

• Don’t integrate them into their SIEM

• Don’t provide role-specific training to marketing teams

This is a systemic gap, and attackers have found it.

The Real Business Impact...

A compromised marketing environment can lead to-->

• Fraudulent ad spend costing companies tens of thousands in hours

• Brand damage from ads impersonating your executives or products

• Customer targeting with malware-laced ads

• Account pivoting, especially if Google Workspace is tied to enterprise systems

• Legal and regulatory exposure, especially around privacy violations or malware distribution

This isn’t a minor issue, it’s a full-scale enterprise risk.

Suggestions On How to Protect Your Organization (and Your Family)...

These protections apply not only to businesses, but to individuals receiving “job interview” or “meeting request” invites.

For Businesses

Enforce MFA on -->

• Google Workspace

• Facebook Business Manager

• LinkedIn Business

• All marketing tools

Block personal account sign-ins on corporate-managed browsers/devices.

Add marketing systems to SOC monitoring Include Google Ads and Facebook Ads in SIEM ingestion and alerting.

Train HR and Marketing teams They are now front-line targets.

Validate all recruiter or partner meeting invites manually When in doubt, call the company directly.

Implement SSO with strong conditional access This reduces entry points dramatically.

For Individuals & Families...

• Verify meeting invites outside the invite (LinkedIn message, company website).

• Avoid clicking login links in emails, visit the service manually.

• Be suspicious of “urgent interview invitations.”

• Never sign in to Google or Facebook from unfamiliar links.

• Teach teens and college-age job hunters: recruiter phishing is now mainstream.

Holiday hiring and seasonal job scams will make this even more common.

Cybercriminals don’t need new vulnerabilities, they exploit your daily workflows.

They prey on trust... Trust in platforms... Trust in brands... Trust in processes.

And today, that trust is being weaponized.

As we move into 2026, SOCs and CISOs must expand visibility beyond traditional systems. Marketing and HR workflows are now part of the threat landscape, and these new AI-powered lures make the line between legitimate and malicious harder than ever to spot. This attack wave won’t be the last, but with proper awareness, monitoring, and collaboration across departments, it doesn’t have to be a successful one.