The Quiet Phish: Stopping Calendar Invitation Attacks

Most inbound threats targeting employees focus on email. This makes sense, since email is an app that is almost universally used and reaches a soft target - people. Email security tools have become fairly good at blocking these attacks–plenty of attacks still get through, but the success rate is lowered. So naturally, attackers are moving to other methods. 

They found one in another, almost-equally-as universal app: the calendar. Attackers are taking advantage of default settings in both Microsoft 365 and Google Workspace to bypass email filters and place any calendar invites–even potentially malicious ones–directly onto calendars. They are able to do this by sending benign emails and putting the malicious payloads in the calendar invites instead. The result is a high-trust, low-friction pathway for attackers to plant a credential-harvesting link or socially-engineered panic button.

Attackers are seeing success with this type of attack, and it's an increasingly common tactic for modern phishing campaigns that we’re seeing in the wild. The good news is that mitigations are available: there are simple native configuration changes steps you can make to prevent these attacks, which we’ll outline below. And Material can help provide even more comprehensive protection for when those native protections fail.

How the attack bypasses traditional protections

The core of this problem lies in the default behavior of all major cloud workspace platforms.

When a threat actor sends a malicious meeting invitation—often labeled with social engineering bait like "Urgent Payroll Update" or "Mandatory Meeting”—a few things happen immediately:

• Automatic Event Creation: The event is automatically created in the target calendar, bypassing the traditional email-centric detections that most security tools (and human scrutiny) rely on.
• High-Trust Interface: Calendars have not historically been a target of attackers so events that appear in them are granted a level of trust different from email, lowering the user’s guard. 
• Payload Delivery: The malicious payloads are crafted into fields like Location, Description, or Video Conferencing/Join, which are likely to be clicked on by the user.

In many cases, the emails won’t contain any malicious payloads themselves, aside from the calendar file, so will not be quarantined. Even if the email is reported by an employee after delivery and remediated, the calendar invite may remain on the calendar.  

Hardening your cloud office configuration

The most effective, immediate step you can take is to change how calendar events are added to calendars. This forces calendar invitations to remain in the user’s inbox until they are manually accepted. The result is that if a message with a malicious calendar attachment is remediated post-delivery, the events will have never been added to the calendar and no calendar clean up is needed. 

Google Workspace: The Admin console fix

For organizations on Google Workspace, the setting is straightforward and available in the Admin console.

We recommend configuring calendars to only add events from invitations users have responded to via email.

1. Navigate to Admin Console → Apps → Google Workspace → Calendar.
2. Select Advance settings.
3. Modify the Add invitations to Calendar setting.

Switching to this setting significantly reduces the attack surface. While a compromised internal or known-sender account is still a risk, this simple change stops the large-scale, unknown-sender spam that defines this attack type.

Microsoft 365: The PowerShell necessity

Unfortunately, Microsoft 365 does not offer a global setting for this behavior in the main Admin console. The setting, AutomateProcessing, must be disabled on a per-mailbox basis using PowerShell.

To enumerate and update all mailboxes to prevent automatic calendar processing, you must run a command like this:

PowerShell

Get-Mailbox -ResultSize Unlimited | ForEach-Object {

    Set-CalendarProcessing $_.Identity -AutomateProcessing None

}

Please note that both of these settings can be overridden on a per-mailbox basis by the mailbox owner. Along with running the above command, it’s a good idea to educate your employees on the risk of malicious calendar invites.

The case for layered, post-delivery defense

Even with a hardened configuration, your organization should prepare for the inevitable:

• An internal account is compromised and is now sending malicious invites from within your organization.
• A trusted partner’s account is abused and sends malicious invites from a trusted email address or domain.
• A user manually accepts a malicious event that bypasses detections.

The administrative settings are a good first step, but they don't cover these scenarios. You need a layer of defense that can help clean up calendars when a malicious invite bypasses detections.

This is where Material comes in.

We can help mitigate malicious calendar attacks even after an event is added to the calendar. In addition, Material provides:

• Threat Intelligence Overlays: We cross-reference event details against active threat intelligence feeds to identify invitations tied to known malicious senders
• Behavioral Inspection: We inspect calendar-event metadata for suspicious URLs, known-malicious hosting providers, and impersonation patterns
• Post-Delivery Cleanup: For events that have already been auto-addedMaterial can perform automated remediation. We can delete the malicious event directly from the calendar, eliminating the threat before the reminder notification ever hits the user's phone.

Preventing the attack is foundational. Being able to clean up the mess that inevitably gets through is what security that actually works looks like.