Meeting-invite phishing is the latest cybersecurity threat

Sponsored by

Your machine data knows things: Unlock it with Splunk and get game-changing insights—plus a critical resource to power AI. Tapping into machine data can boost your security and reliability. See more.

Like your favorite bosses, even phishers are setting up meetings that could’ve been an email.

Cybersecurity teams are facing an increase in calendar-invite phishing messages, IT leads recently shared with IT Brew. That’s a particularly dangerous tactic, given how invites exist beyond the inbox.

“Even if you’ve done an effective job of teaching your employees not to click on email links, there’s just an informality to invites that I think makes the social awareness more challenging,” Marty Barrack, chief legal and compliance officer at healthcare IT company XiFin, said.

An influx in invites. In an email to IT Brew, Google Workspace spokesperson Ross Richendrfer wrote that Google has seen a “definite uptick in the last year” in meeting-invite phishing tactics. (Lawrence Berkeley National Laboratories, for example, alerted users in October of Google invite attacks.)

Barrack, who’s also a member of the ISACA Emerging Trends Working Group, said malicious meeting-invite phishing currently makes up about a tenth of the phishing messages targeting the company—a radical change from 18 months ago, when the company hardly saw that type of attack.

Here’s how the attack works:

• A calendar file (.ics) arrives via email.
• Within those invites, adversaries add malicious links, phony tech support numbers, or attachments.
• Depending on one’s calendar platform and setting, according to Michael Welch, CISO at consultancy MorganFranklin Cyber, the invite can remain on a calendar even when the original email is reported or “soft” deleted (meaning moved from an active view to a temporary space).

“Users have come to trust the text-based .ics extension that is supported across many clients and their guard is down when it comes from outside the organization,” Welch wrote in an email to IT Brew, adding that his group has not noticed an uptick in the method.

What one pro did. Bill Holmberg, IT director at Wayne Transports, hadn’t seen this fake meeting ruse until last November, when employees clicked meeting links that led to replica logins, allowing phishers to send spam messages and spread attacks from familiar company accounts.

Holmberg recently spent time checking and unchecking boxes in Microsoft Outlook, enforcing configuration changes to the company’s email-system user base of about 225 employees. His actions included: 

• Disabling: “Automatically process meeting requests and responses to meeting requests and polls.”
• ​​Disabling: “Automatically accept meeting requests and remove canceled meetings.”
• Enabling: “Don’t show event summaries in email or on my calendar.”
• Enabling: “Add invitations to my calendar” to “Only when I respond to the invitation.”

In a follow-up email with Holmberg, the director shared that the company uses a secure email gateway to warn users of strong phishing indicators. The global configuration adjustments only stop the automatic acceptance of invitations, he noted, and his IT team trains users to spot the threat.

Outlook does provide notifications for users when a sender is potentially suspicious, or at least “one you don’t often get mail from.”

What Microsoft says. “This is a challenging tactic because it bypasses current spam filters. Without any user interaction, the invitation is automatically added to the calendar, and can create a false sense of security. Additionally, with AI, attackers can also craft highly convincing emails that appear legitimate and could trick users,” Thomas Roccia, senior security researcher at Microsoft, wrote to IT Brew. He recommended:

• Deleting the invitation and the email without interacting; do not click any links or reply.
• Reporting the invite as spam using built-in functions and blocking the sender.
• “Read carefully, avoid reacting too quickly, verify the origin, and ask yourself if the invitation seems legitimate,” Roccia wrote.

What Google says. Via an admin console, Google Workspace customer users can check their Calendar settings to ensure they only add invitations when the sender is known. If an unknown sender wants to add an invite, this “known senders” setting is an effective defense, according to Richendrfer, and ensures users receive an alert warning about someone they haven’t interacted with previously.

Time for an all-hands meeting? Barrack sees a need to expand phishing training beyond the inbox: “I think that the level of effort that has gone into dealing with phish emails has not been reflected in phishing invites. So, I think that the industry and software vendors have some catch-up on this.”