Looks like there is some good human manipulation, er, "social engineering" lately using a pretext of looking for security work and sending links through weird domains that redirect to calendly links for what I assume is an opportunity to continue the con. For now, I would BOLO URIs with ?redirectTo=https://calendly.com/* in the parameters. I can't say they're necessarily malicious, but I would certainly scrutinize them and the domain you see them redirected from, especially if the original subdomain is t or trk.
#threatIntel #socialEngineering #phishing
cR0w /
npub1z3…cp45m
2025-03-13 13:16:09
Author Public Key
npub1z3sfut2znnrtgl0qt4q6npq8zmjd9c97ck0gh0me44ua6lzaaajq6cp45mPublished at
2025-03-13 13:16:09Event JSON
{
"id": "d72212b5046c451e46e01a96d2e561f1fe29b657e6f7dfb341d88b67cf59e96d",
"pubkey": "14609e2d429cc6b47de05d41a9840716e4d2e0bec59e8bbf79ad79dd7c5def64",
"created_at": 1741871769,
"kind": 1,
"tags": [
[
"t",
"threatintel"
],
[
"t",
"socialengineering"
],
[
"t",
"phishing"
],
[
"proxy",
"https://infosec.exchange/users/cR0w/statuses/114155308305003523",
"activitypub"
]
],
"content": "Looks like there is some good human manipulation, er, \"social engineering\" lately using a pretext of looking for security work and sending links through weird domains that redirect to calendly links for what I assume is an opportunity to continue the con. For now, I would BOLO URIs with ?redirectTo=https://calendly.com/* in the parameters. I can't say they're necessarily malicious, but I would certainly scrutinize them and the domain you see them redirected from, especially if the original subdomain is t or trk.\n\n#threatIntel #socialEngineering #phishing",
"sig": "645270302b18c8d3f613e5ed746576508a6e113ea560cc5f0fb9906fabf4b88e6af68d10984ed3d060e6570acd6f4e050494c0cfdd4d0b62e41e00f531c07cca"
}