When “Legitimate” Tools Are Used Illegitimately (like booking a meeting time)

by | Apr 13, 2026 | IT News & Insights New Zealand | Cybersecurity, AI & Microsoft Updates, Security

Cyber awareness isn’t just about blocking malware — it’s about recognising intent.

Recently, we received a callout from a client after a user received what initially appeared to be a genuine business opportunity. The email exchange seemed credible, replies were exchanged, and eventually a Calendly booking link was provided to schedule a meeting.

At first glance, nothing appeared overtly malicious.

However, the user became suspicious after clicking the link and contacted us for verification. That decision mattered.

What we found

Our investigation showed:

  • The booking link itself was a legitimate Calendly link
  • There was no malware, no fake login page, and no credential harvesting form
  • Calendly was operating exactly as designed

But there was a critical red flag.  The sender’s email domain was only 21 days old, and the domain had no valid or functional website behind it.  This was not a failed attack — it was pre‑attack reconnaissance.

Understanding the Technique: Trust Before the Attack

This scenario highlights a growing technique we’re seeing more frequently: using trusted, legitimate platforms to lower defences.

What this attack is not

  • No exploit
  • No malicious payload
  • No impersonated Calendly infrastructure
  • No credential prompt

There is nothing to “block” in the traditional sense.

What the attacker is actually doing

The real objective here is verified lead harvesting and trust building.  By using Calendly, the attacker can:

  • Harvest validated contact data

    • Name
    • Email address
    • Company
    • Sometimes role or phone number

  • Confirm human engagement

    • Booking a meeting confirms the mailbox is real, monitored, and responsive
    • This signals high intent and lowers future suspicion

  • Build legitimacy

    • “They booked time with me” reframes future contact as expected rather than unsolicited

In short: Calendly is the reconnaissance phase, not the attack itself.

 

Why this matters

Traditional security controls are excellent at stopping malware, phishing links, and credential theft, but this technique doesn’t trigger those alarms.

That’s why cyber awareness training and a layered security approach are essential.

  • Technology reduces risk
  • Awareness identifies intent
  • People close the gap

In this case, the outcome was positive because the user trusted their instincts and escalated early.

The takeaway

If something feels slightly off, even when all the tools look legitimate.  Pause and verify.  That pause is often the difference between early detection and incident response.