TV 2 Play Payment Scam Uses Calendly Open Redirect and SendGrid Click-Tracking Chain
Attack Overview
Step 1: TV2Play Payment Failure Notification
The attacker sends phishing emails impersonating TV2Play streaming service with failed payment messaging to create urgency.
- Email passes sender authentication checks (SPF, DKIM, DMARC all pass) to appear legitimate.
- Subject line "[EXT] Betalingen mislyktes – sikre tilgang til TV 2 i dag" indicates external payment failure requiring immediate action
- Message content in Norwegian informs recipient about payment details needing review for continued service access.
Step 2: Calendly Open Redirect Masks Malicious Link
The phishing link leverages Calendly's open redirect functionality to make the URL appear benign while redirecting to malicious destinations.
- Link initially points to calendly[.]com domain using open redirect parameter (url?q=) to appear trustworthy.
- Open redirect functionality allows the URL to appear benign while redirecting users to another domain.
- Calendly's legitimate domain reputation helps bypass security filters that rely on domain-based detection.
Step 3: SendGrid Click-Tracking Conceals Final Destination
The attack uses SendGrid's click-tracking infrastructure to further obfuscate the final phishing destination.
- Full redirect chain: https://calendly[.]com/url?q=https://u2081612.ct.sendgrid.net/ls/click?upn=u001.lHJMg5DdyyGLZlhWcfvawi
- SendGrid's widely trusted email delivery service provides click-tracking domain to mask true destination.
- Multi-layer redirection chain helps attacker obfuscate final phishing destination and evade detection systems.
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for several reasons, including:
- Email sent from domain passing sender authentication checks, appearing legitimate to security filters.
- Open redirect functionality leverages Calendly's trusted domain to make phishing links appear benign while redirecting to malicious destinations.
- SendGrid's click-tracking infrastructure masks the true destination using widely trusted email delivery service domain reputation.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including:
- Behavioral AI flagging never-before-seen senders, unusual email content, and URLs as anomalies that enable detection of novel attacks.
- Content analysis and natural language processing recognizing urgency and financial implications as indicators of financial-themed attacks.
- Detection of redirect chain patterns and suspicious URL structures despite legitimate infrastructure usage.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.