{"id":16227,"date":"2026-04-13T14:38:46","date_gmt":"2026-04-13T02:38:46","guid":{"rendered":"https:\/\/kinetics.co.nz\/?p=16227"},"modified":"2026-04-13T14:38:46","modified_gmt":"2026-04-13T02:38:46","slug":"when-legitimate-tools-are-used-illegitimately-like-booking-a-meeting-time","status":"publish","type":"post","link":"https:\/\/new.kinetics.co.nz\/?p=16227","title":{"rendered":"When \u201cLegitimate\u201d Tools Are Used Illegitimately (like booking a meeting time)"},"content":{"rendered":"

[et_pb_section fb_built=”1″ _builder_version=”4.27.6″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_row _builder_version=”4.27.6″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_column type=”4_4″ _builder_version=”4.27.6″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_text _builder_version=”4.27.6″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”]<\/p>\n

Cyber awareness isn\u2019t just about blocking malware \u2014 it\u2019s about recognising intent.<\/strong><\/h2>\n

Recently, we received a callout from a client after a user received what initially appeared to be a genuine business opportunity. The email exchange seemed credible, replies were exchanged, and eventually a Calendly booking link<\/strong> was provided to schedule a meeting.<\/p>\n

At first glance, nothing appeared overtly malicious.<\/p>\n

However, the user became suspicious after clicking the link and contacted us for verification. That decision mattered.<\/p>\n

What we found<\/h3>\n

Our investigation showed:<\/p>\n

    \n
  • The booking link itself was a legitimate Calendly link<\/strong><\/li>\n
  • There was no malware<\/strong>, no fake login page, and no credential harvesting form<\/li>\n
  • Calendly was operating exactly as designed<\/strong><\/li>\n<\/ul>\n

    But there was a critical red flag.\u00a0\u00a0The sender\u2019s email domain was only 21 days old<\/strong>, and the domain had no valid or functional website<\/strong> behind it.\u00a0\u00a0This was not a failed attack \u2014 it was pre\u2011attack reconnaissance<\/strong>.<\/p>\n

    Understanding the Technique: Trust Before the Attack<\/h2>\n

    This scenario highlights a growing technique we\u2019re seeing more frequently: using trusted, legitimate platforms to lower defences<\/strong>.<\/p>\n

    [\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=”3_5,2_5″ make_equal=”on” _builder_version=”4.27.6″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_column type=”3_5″ _builder_version=”4.27.6″ _module_preset=”default” border_radii=”on|10px|10px|10px|10px” border_width_all=”1px” border_color_all=”#222222″ box_shadow_style=”preset1″ global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_text _builder_version=”4.27.6″ _module_preset=”default” hover_enabled=”0″ global_colors_info=”{}” theme_builder_area=”post_content” custom_padding=”10px|10px|10px|10px|false|false” sticky_enabled=”0″]<\/p>\n

    What this attack is not<\/em><\/h3>\n
      \n
    • No exploit<\/li>\n
    • No malicious payload<\/li>\n
    • No impersonated Calendly infrastructure<\/li>\n
    • No credential prompt<\/li>\n<\/ul>\n

      There is nothing to \u201cblock\u201d in the traditional sense.<\/strong><\/p>\n

      [\/et_pb_text][\/et_pb_column][et_pb_column type="2_5" _builder_version="4.27.6" _module_preset="default" border_radii="on|10px|10px|10px|10px" border_width_all="1px" border_color_all="#222222" box_shadow_style="preset1" global_colors_info="{}" theme_builder_area="post_content"][et_pb_image src="https:\/\/new.kinetics.co.nz\/wp-content\/uploads\/2026\/04\/CalendarHacker.png" title_text="CalendarHacker" _builder_version="4.27.6" _module_preset="default" hover_enabled="0" box_shadow_style="preset1" global_colors_info="{}" theme_builder_area="post_content" align="center" sticky_enabled="0"][\/et_pb_image][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version="4.27.6" _module_preset="default" global_colors_info="{}" theme_builder_area="post_content"][et_pb_column type="4_4" _builder_version="4.27.6" _module_preset="default" global_colors_info="{}" theme_builder_area="post_content"][et_pb_text _builder_version="4.27.6" _module_preset="default" global_colors_info="{}" theme_builder_area="post_content"]<\/p>\n

      What the attacker is actually doing<\/h3>\n

      The real objective here is verified lead harvesting and trust building<\/strong>.\u00a0\u00a0By using Calendly, the attacker can:<\/p>\n

        \n
      • \n

        Harvest validated contact data<\/strong><\/p>\n

          \n
        • Name<\/li>\n
        • Email address<\/li>\n
        • Company<\/li>\n
        • Sometimes role or phone number<\/li>\n<\/ul>\n<\/li>\n
        • \n

          Confirm human engagement<\/strong><\/p>\n

            \n
          • Booking a meeting confirms the mailbox is real, monitored, and responsive<\/li>\n
          • This signals high intent and lowers future suspicion<\/li>\n<\/ul>\n<\/li>\n
          • \n

            Build legitimacy<\/strong><\/p>\n

              \n
            • \u201cThey booked time with me\u201d reframes future contact as expected<\/em> rather than unsolicited<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n

              In short: Calendly is the reconnaissance phase<\/strong>, not the attack itself.<\/p>\n

               <\/p>\n

              Why this matters<\/h2>\n

              Traditional security controls are excellent at stopping malware, phishing links, and credential theft, but this technique doesn\u2019t trigger those alarms<\/strong>.<\/p>\n

              That\u2019s why cyber awareness training<\/strong> and a layered security approach<\/strong> are essential.<\/p>\n

                \n
              • Technology reduces risk<\/li>\n
              • Awareness identifies intent<\/li>\n
              • People close the gap<\/li>\n<\/ul>\n

                In this case, the outcome was positive because the user trusted their instincts and escalated early.<\/p>\n

                The takeaway<\/h2>\n

                If something feels slightly off<\/em>, even when all the tools look legitimate.\u00a0 Pause and verify.\u00a0\u00a0That pause is often the difference between early detection<\/strong> and incident response<\/strong>.<\/p>\n

                [\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"

                Cyber awareness isn\u2019t just about blocking malware \u2014 it\u2019s about recognising intent. Recently, we received a callout from a client after a user received what initially appeared to be a genuine business opportunity. The email exchange seemed credible, replies were exchanged, and eventually a Calendly booking link was provided to schedule a meeting. At first […]<\/p>\n","protected":false},"author":5,"featured_media":16228,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[4,5],"tags":[],"class_list":["post-16227","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news","category-security"],"_links":{"self":[{"href":"https:\/\/new.kinetics.co.nz\/index.php?rest_route=\/wp\/v2\/posts\/16227","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/new.kinetics.co.nz\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/new.kinetics.co.nz\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/new.kinetics.co.nz\/index.php?rest_route=\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/new.kinetics.co.nz\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=16227"}],"version-history":[{"count":0,"href":"https:\/\/new.kinetics.co.nz\/index.php?rest_route=\/wp\/v2\/posts\/16227\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/new.kinetics.co.nz\/index.php?rest_route=\/"}],"wp:attachment":[{"href":"https:\/\/new.kinetics.co.nz\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=16227"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/new.kinetics.co.nz\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=16227"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/new.kinetics.co.nz\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=16227"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}