Phishing Campaign Exploits Calendly to Evade Email Security in Hotels

A phishing campaign targeting hotels in Europe and Asia since April 2026 has utilized a method called 'authentication laundering' to bypass enterprise email security filters. Microsoft Threat Intelligence disclosed this operation on June 25, 2026, revealing that attackers registered a legitimate Calendly account to send phishing emails. These emails, appearing as legitimate notifications, passed all standard authentication checks (SPF, DKIM, DMARC) due to their origin from Calendly's authorized servers. The messages, written in Japanese, Danish, and Dutch, contained urgent lures related to guest complaints and operational threats. The campaign has significant implications for any organization relying on SaaS platforms for email notifications, as it exposes a critical design flaw in email security. The phishing emails embedded a redirect URL leading to a malicious payload disguised as a Windows shortcut file. Currently, the campaign remains active, posing risks to hotel operations across multiple regions.

Key Points: • Phishing campaign uses legitimate Calendly accounts to bypass email filters. • Attackers exploit a design flaw in email authentication standards (SPF, DKIM, DMARC). • Urgent lures target hotel staff with threats of operational consequences.