Usually, I pride myself in being able to spot a phishing email from a mile away, however, I’ve always maintained that anyone, even the most security-minded individual, could be phished with enough research and time.
Recently, I was targeted by a few phishing campaigns that slipped by my usual “Phish Sense” (is that a thing?) and were convincing enough that I opened them and was even intrigued about their contents before realizing they were a phishing email. This is the first time this has happened in a long time, and the main reason was because of a unique strategy I hadn’t seen before that utilized an Applicant Tracking System (ATS).
Phishing: Still an Effective Technique
In 2025, despite the overwhelming amount of training and security tooling developed for email security, phishing is still one of the most effective techniques for initial access and a favorite for cybercriminals. No fancy 0-days or hacking exposed infrastructure required, just simply emailing up members of an organization and convincing them to click a link, download an attachment, enter in credentials, or some other malicious activity without them realizing the potential damage lurking in the email.
With the prevalence of AI tools that can take all forms of social engineering (phishing included) to the next level, I expect we’ll see even more phishing taking place in the coming years. There’s no time like the present to learn about conducting ethical phishing campaigns or to up your email security game.
TCM offers the Practical Phishing Campaigns course through the Academy, which can clue you in to the tactics and techniques used by threat actors to compose and execute phishing campaigns, leaving you better prepared to identify those threats. If you’re interested in safeguarding organizations against these types of threats our Security Operations 101 course will teach you those skills and the Practical SOC Analyst Associate certification will provide proof of those skills.
How I Almost Got Phished
Okay, so back to how an email that landed in my Gmail inbox got past all of Google’s spam filters, got me to click it, and had me initially excited about the opportunity it presented. The key to all of it was in abusing a legitimate ATS as a Trojan horse of sorts. If you’ve applied to any job posting in the last decade, then you’re probably at least somewhat familiar with ATS being used by companies for managing applicants and responding to job postings. While they’re most known for filtering resumes, they are also used to schedule interviews and communicate with candidates. This last feature is what allows them to be abused for phishing.
The email I received passed through all spam filters and didn’t raise any alarm from me because it came from a legitimate Applicant Tracking System. What the phishers had done was create a fake account on a legitimate ATS, pretending to be Reality Labs (which is Meta’s VR platform that was formerly Oculus).
When I initially received the email, Gmail had even flagged it as being important! I hadn’t heard of recruitee.com, but surely if it wasn’t a legitimate domain, Google would be flagging it as spam and definitely not suggesting it was an important email. Even still, I did some research myself, which showed that it was a legitimate site and tool.
Who wouldn’t trust a company that is trusted by KFC, right? In all seriousness, Recruitee is a legit tool used by many big-name companies, though the fact that they allow free trials seems to have opened their tool up to be abused by phishers.
Phishing Payload
The email, supposedly from Reality Labs at Meta, said they thought I’d be a good fit for a social media position there, and they wanted to schedule a call to talk. This is a simple enough request, and considering my current position and background as a content creator making social media content about tech and even IoT and hardware, it’s definitely something I’d consider and also be qualified for.
I initially received the email and read it on my phone, and my first reaction was, “That’s cool”, and I planned to check it out the next time I was at my computer. Half because I’m a millennial, and half because I’m fairly security-minded, I usually save any link clicking, forms, or signing up for anything until I’m on my computer.
After revisiting the email on my computer, I realized fairly quickly that this was a phishing attempt. The first tip-off was hovering over the “schedule a call” link, which did not direct to a recruitee.com domain or a Meta domain, and instead to a newly registered one trying to pass as a Meta recruiting domain. At this point, I was curious about the goal of the phishing attempt. Was this an advanced campaign attempting to get me on a call?
To help me answer this question, I looped in my coworker Andrew Prince. If you’re not familiar with him, he’s the blue team content creator at TCM, the creator of the SOC 101 and 201 courses, and very talented at all things digital forensics, including phishing email analysis. Double Andrew powers activate!
Phishing Email Analysis
Prince got to work and was able to unravel the phish quickly!
The initial landing page from the phishing attempt took you to a fairly convincing Meta Quest page, asking for some details. Afterwards, it prompted you to log in with Facebook credentials.
When you clicked ‘Continue’, you were directed to log in via Facebook. Of course, there was no login to Facebook and this was a fake portal designed for credential harvesting. After entering any credentials (valid or not), you were then able to book a meeting.
Interestingly, you could actually book something via Calendly, so of course, Prince did!
Strategically, the openings to book a time slot were all over a week away, most likely so that victims were not tipped off to the phish until a week later, giving the attackers time to harvest and use the stolen credentials while the victims waited for a call.
Further investigation by Prince revealed more of the infrastructure used by this attacker; interestingly, they had set up a Calendly using a fake name.
Maybe the scammer was of Albanian descent? Unfortunately, they never called, and it appears the only goal of this phishing email was to harvest credentials. All there was left to do now was to report their domains and abuse of the products used to pull off the phishing attempt.
Conclusion
This phish almost got me because it 1) targeted my background and interests and 2) used a unique tactic to bypass spam filters and appear legitimate. If someone is used to clicking links that seem ok on their phone without checking the associated domains, an attack like this would be hard to detect. This is a great reminder that we can’t always rely on technical controls to flag phishing emails. Instead, it’s important to use a combination of both technical controls and user awareness training.
One way to perform user training is through the use of simulation phishing campaigns and testing. If you’re curious to learn more about how to perform your own phishing campaigns, make sure to check out the TCM Security Practical Phishing Campaigns course. Alternatively, if your organization is looking to perform a phishing simulation, the TCM Security offers Social Engineering Testing among our other penetration testing services!
About the Author: Andrew Bellini
My name is Andrew Bellini and I sometimes go as DigitalAndrew on social media. I’m an electrical engineer by trade with a bachelor’s degree in electrical engineering and am a licensed Professional Engineer (P. Eng) in Ontario, Canada. While my background and the majority of my career has been in electrical engineering, I am also an avid and passionate ethical hacker.
I am the instructor of our Beginner’s Guide to IoT and Hardware Hacking, Practical Help Desk, and Assembly 101 courses and I also created the Practical IoT Pentest Associate (PIPA) and Practical Help Desk Associate (PHDA) certifications.
In addition to my love for all things ethical hacking, cybersecurity, CTFs and tech I also am a dad, play guitar and am passionate about the outdoors and fishing.
About TCM Security
TCM Security is a veteran-owned, cybersecurity services and education company founded in Charlotte, NC. Our services division has the mission of protecting people, sensitive data, and systems. With decades of combined experience, thousands of hours of practice, and core values from our time in service, we use our skill set to secure your environment. The TCM Security Academy is an educational platform dedicated to providing affordable, top-notch cybersecurity training to our individual students and corporate clients including both self-paced and instructor-led online courses as well as custom training solutions. We also provide several vendor-agnostic, practical hands-on certification exams to ensure proven job-ready skills to prospective employers.
Pentest Services: https://tcm-sec.com/our-services/
Follow Us: Email List | LinkedIn | YouTube | Twitter | Facebook | Instagram | TikTok
Contact Us: [email protected]
See How We Can Secure Your Assets
Let’s talk about how TCM Security can solve your cybersecurity needs. Give us a call, send us an e-mail, or fill out the contact form below to get started.