🛡️ SecOps

Calendly-Themed AiTM Phishing Kits Rise with Real-Time Socket.IO and Telegram Exfiltration

urlscan.io researchers have documented a surge in phishing kits impersonating Calendly booking pages, used as a step in multi-stage AiTM credential theft chains targeting enterprise users. The kits use real-time Socket.IO connections for live victim monitoring, fake CAPTCHA challenges for victim fingerprinting, and Telegram bot webhooks for credential exfiltration — a combination that makes the attack infrastructure highly operationally efficient while appearing to originate from legitimate Calendly sessions.

4 min read
#phishing#aitm#calendly#social-engineering#credential-theft#socketio#telegram#mfa-bypass#enterprise

urlscan.io researchers have published analysis of an emerging class of phishing infrastructure using Calendly meeting booking pages as an intermediate step in adversary-in-the-middle credential theft chains. The campaign uses a technically sophisticated combination of real-time Socket.IO connections for live victim monitoring, fingerprinting-based target selection, and Telegram webhooks for immediate credential exfiltration — demonstrating that AiTM phishing infrastructure is continuing to evolve in operational sophistication.

The Calendly Lure

The use of a Calendly-branded page as a phishing step exploits several characteristics of legitimate Calendly workflows that make the lure convincing:

  • Calendly is frequently shared via email links — receiving a link to a Calendly page is a normal, expected business interaction for most enterprise users
  • Calendly redirects to authentication — legitimate Calendly pages sometimes require sign-in to complete booking, making an authentication request from a Calendly-branded page plausible
  • Calendly’s domain is trusted — the phishing pages either use convincing Calendly-lookalike domains or, in some variants, abuse Calendly’s own platform for the initial redirect before forwarding to the credential collection infrastructure

The attack chain works as follows: victim receives an email with a Calendly meeting invite link → victim clicks and reaches the phishing infrastructure → fingerprinting and CAPTCHA verify it is a human victim on a real enterprise network → victim is redirected to an AiTM proxy replicating the target organisation’s SSO login page → credentials and MFA tokens are captured in real time → victim is redirected to a legitimate Calendly page for the “meeting booking” to maintain the cover story.

Technical Infrastructure

Socket.IO real-time victim monitoring: Unlike basic phishing kits that collect credentials asynchronously, the documented kits use Socket.IO WebSocket connections to notify the phishing operator in real time when a victim loads the page. This allows the operator to immediately activate the AiTM proxy session for that specific victim — enabling the real-time MFA relay required for successful AiTM attacks. Without real-time notification, an MFA code entered by the victim would expire before the operator could relay it.

Fingerprinting and victim selection: Before presenting the AiTM flow, the phishing kit runs JavaScript-based fingerprinting to identify:

  • The victim’s corporate network (via IP geolocation against known corporate IP ranges)
  • Browser and OS type (to confirm a human enterprise target rather than a security scanner)
  • Time zone and browser language (to filter for target geographies)

Victims who do not pass the fingerprinting checks — VPN users, security researcher IP addresses, or automated scanners — are redirected to the legitimate Calendly site, preventing the phishing infrastructure from being analysed.

Telegram exfiltration: Harvested credentials and session tokens are immediately transmitted to attacker-controlled Telegram bots, providing real-time notification and a persistent credential store that does not require dedicated C2 server infrastructure.

Defensive Posture Against Calendly-Themed Attacks

Standard phishing defence guidance applies — verify the URL in the browser address bar, particularly before entering corporate credentials. However, several enterprise-specific mitigations are relevant:

Link analysis in email security gateways: Email security products that follow redirects and analyse the final landing page destination can detect AiTM phishing infrastructure even when the initial link appears legitimate. Configure email security to deep-inspect Calendly links that redirect to authentication pages on non-Calendly domains.

Conditional Access for SSO: Conditional Access policies that require managed device status, specific IP ranges, or hardware-bound authentication reduce the usability of stolen session tokens from AiTM captures — even if credentials are captured, the session token may be unusable from attacker infrastructure that does not meet the access conditions.

Calendly booking page authentication: If your organisation uses Calendly, consider whether authentication should be required for internal booking pages — and evaluate whether the Calendly experience can be delivered without redirecting to external authentication flows.

The sophistication of real-time Socket.IO monitoring and victim fingerprinting in these kits indicates that commercial AiTM phishing kit development has matured to address the operational challenges that previously limited AiTM attack scale. Security awareness training should explicitly cover Calendly meeting invite phishing as a current and active vector.

Share this article