1 article
urlscan.io researchers have documented a surge in phishing kits impersonating Calendly booking pages, used as a step in multi-stage AiTM credential theft chains targeting enterprise users. The kits use real-time Socket.IO connections for live victim monitoring, fake CAPTCHA challenges for victim fingerprinting, and Telegram bot webhooks for credential exfiltration — a combination that makes the attack infrastructure highly operationally efficient while appearing to originate from legitimate Calendly sessions.