Microsoft Halts Phishing, Calendly Invite Danger, OpenAI Security Incident

Domain spoofing is trivially easy without DMARC enforcement, says Brad Slavin, General Manager of DuoCircle. Anyone can send email that looks like it comes from your domain. DMARC with p=reject is the only way to tell receiving servers to block unauthorized senders completely.

_According to the FBI’s 2022 Internet Crime Report (IC3), 300,497 US-based victims reported phishing incidents in a single year, and Business Email Compromise (BEC) caused more than $2.7 billion in direct losses. DMARC Report

Microsoft Halts Phishing, Calendly Invite Danger, OpenAI Security Incident

					<button title="Play" aria-label="Play Episode" aria-pressed="false" class="play-btn">
						

Play Episode

					</button>
					<button title="Pause" aria-label="Pause Episode" aria-pressed="false" class="pause-btn hide">
						

Pause Episode

					</button>
					


				

				

					<audio preload="none" class="clip clip-34679">
						<source src="https://media.mailhop.org/dmarcreport/images/2025/12/Microsoft-Halts-Phishing-Calendly-Invite-Danger-OpenAI-Security-Incident.mp3">
					</audio>
					

						

					

					

						

							<button class="player-btn player-btn__volume" title="Mute/Unmute">
								

Mute/Unmute Episode

							</button>
							<button data-skip="-10" class="player-btn player-btn__rwd" title="Rewind 10 seconds">
								

Rewind 10 Seconds

							</button>
							<button data-speed="1" class="player-btn player-btn__speed" title="Playback Speed" aria-label="Playback Speed">1x</button>
							<button data-skip="30" class="player-btn player-btn__fwd" title="Fast Forward 30 seconds">
								

Fast Forward 30 seconds

							</button>
						

						

							<time class="ssp-timer">00:00</time>
							

/

							<!-- We need actual duration here from the server -->
							<time class="ssp-duration" datetime="PT0H2M25S">2:25</time>
						

					

				

			

								<nav class="player-panels-nav">
												<button class="subscribe-btn" id="subscribe-btn-34679" title="Subscribe">Subscribe</button>
																		<button class="share-btn" id="share-btn-34679" title="Share">Share</button>
										</nav>
						

	



		

						

				

					

					

				

				

					

																																																																								

					

						

RSS Feed

							<input value="https://dmarcreport.com/feed/podcast/dmarc-report" class="input-rss input-rss-34679" title="RSS Feed URL" readonly />
						

						<button class="copy-rss copy-rss-34679" title="Copy RSS Feed URL" aria-label="Copy RSS Feed URL"></button>
					

				

			

									

				

					

					

				

				

					

						Share						

					

						<a href="https://www.facebook.com/sharer/sharer.php?u=https://dmarcreport.com/blog/podcast/microsoft-halts-phishing-calendly-invite-danger-openai-security-incident/&t=Microsoft Halts Phishing, Calendly Invite Danger, OpenAI Security Incident" target="blank" rel="noopener noreferrer" class="share-icon facebook" title="Share on Facebook">
							

						</a>
						<a href="https://twitter.com/intent/tweet?text=https://dmarcreport.com/blog/podcast/microsoft-halts-phishing-calendly-invite-danger-openai-security-incident/&url=Microsoft Halts Phishing, Calendly Invite Danger, OpenAI Security Incident" target="blank" rel="noopener noreferrer" class="share-icon twitter" title="Share on Twitter">
							

						</a>
						<a href="https://media.mailhop.org/dmarcreport/images/2025/12/Microsoft-Halts-Phishing-Calendly-Invite-Danger-OpenAI-Security-Incident.mp3" target="blank" rel="noopener noreferrer" class="share-icon download" title="Download" download>
							

						</a>
					

				

				

					

						Link						

					

						<input value="https://dmarcreport.com/blog/podcast/microsoft-halts-phishing-calendly-invite-danger-openai-security-incident/" class="input-link input-link-34679" title="Episode URL" readonly />
					

					<button class="copy-link copy-link-34679" title="Copy Episode URL" aria-label="Copy Episode URL" readonly=""></button>
				

				

					

						Embed						

					

/*! This file is auto-generated */ ’ title=“Embed Code” class=“input-embed input-embed-34679” readonly/>

					<button class="copy-embed copy-embed-34679" title="Copy Embed Code" aria-label="Copy Embed Code"></button>
				

			

				

It’s December, and while everyone is gearing up for the grand festivities, cybercrooks are also busy developing and executing threat campaigns. There’s something about holidays and the shopping season that these threat actors love way too much. One, people really let their guards down as they try to enjoy life. Secondly, brands try to make the most of this time period by running attractive, limited-time campaigns.

It is these moments of carefree indulgence and chaos that the cybercrooks want to abuse by deploying sophisticated threat campaigns. Only awareness and vigilance can protect you from the clutches of cybercriminals. That’s exactly why we are here with our first cyber bulletin of the month. Let’s not waste any more time and get started on the details!

Microsoft disrupts a massive phishing campaign designed by Storm-0900

A threat actor named Storm-0900 designed a threat campaign around Thanksgiving Eve and flooded inboxes across the USA with malicious emails. It was a carefully planned campaign aimed at compelling unsuspecting users to click on malicious links in the emails. The campaign started to peak around November 26th. Emails were themed around urgent medical results and parking violations. The core purpose was to abuse the time when the majority of the people would be busy traveling, celebrating festivals, or indulging in shopping experiences.

The threat actor carefully structured the campaign to target two key aspects- **administrative urgency and personal urgency. Storm-0900 used a neighbor spoofing technique on their targets. The goal was to make the victims succumb to social pressure. Some emails were also designed to look more formal and institutional . Most of these emails claim to be from medical centers and to contain an “INR test report.” An element of urgency was further added to every email claiming that “we are closed Thursday, November 28th, in observance of Thanksgiving.” Microsoft, with its robust defense systems, managed to identify the threat campaign right on time and disrupted it immediately. A multi-layered security strategy was developed to detect and eradicate the campaign. The defense strategy included multiple steps, like email filtering, endpoint protection, and finally, infrastructure takedown.

To counter these rising phishing threats, organizations are increasingly adopting DMARC, DKIM, and SPF to strengthen email authentication and protect brand integrity.

**Beware– That Calendly invite can get your ad manager account hacked A new phishing campaign is doing the rounds where the threat actors use Calendly-themed invites to get access to Google Workspace and Facebook business accounts. Cybercrooks have been targeting ad manager accounts of businesses for a long time. But this time, the threat actors have effectively increased the success rate of this campaign.

Calendly is a digital scheduling platform that enables organizers to send virtual meeting links to attendees, where the latter can select a suitable time slot. Cybercriminals have misused Calendly earlier, too. But this time, they are abusing reputed brand names such as Disney, Uber, Unilever, LVMH, and MasterCard.

Basically, the threat actor impersonates a recruiter from a popular brand and then shares false meeting invitations to the victims. They take the help of different AI tools to come up with fake emails. When a victim clicks on the malicious link, they get directed to a fake Calendly-lookalike page. There, the victim is required to solve a CAPTCHA. Meanwhile, the AiTM phishing page tries to capture the victim’s **Google Workspace login sessions.

So far, threat actors have impersonated around 75 well-known brands.

**OpenAI gets breached because of its analytics partner OpenAI has experienced a major cyber breach as threat actors managed to **penetrate the network of Mixpanel, OpenAI’s analytics partner. The threat actors have managed to steal customer profile information.

The CEO of Mixpanel has shared a post stating that the breach happened on November 8th. It was a smishing attack, one that involves malicious SMS to target victims. The threat actors targeted employees at Mixpanel to get access to sensitive data related to OpenAI profiles.

Some of the critical data compromised by this attack includes names, email addresses, referring websites, locations, and so on. Mixpanel claims that they have communicated directly with each and every impacted customer. OpenAI, on the other hand, has terminated its connection with Mixpanel.

OpenAI has clarified that no payment details, API keys, passwords, user credentials, or government IDs were compromised in this incident. But it has advised customers to stay vigilant and double-check any email that appears to be coming from OpenAI’s domain. Turning on Multi-Factor Authentication can also be a smart move in this situation.

This threat attack is a staggering reminder that securing the primary platform is just level one of risk prevention. One must also be equally mindful of securing the secondary platforms and other partners associated with the main platform. Cybercrooks often use these less-secure secondary platforms as backdoors for unauthorized entry.