Scams & Phishing News Invitation to Trouble: The Rise of Calendar Phishing Attacks

[Khushal]

Content source

https://cofense.com/blog/invitation-to-trouble-the-rise-of-calendar-phishing-attacks

Cofense’s Phishing Defense Center warns that fake Microsoft and Google Calendar invites are used to steal credentials via spoofed emails and malicious links, urging users to verify sender details and avoid suspicious invites.

Invitation to Trouble: The Rise of Calendar Phishing Attacks

Threat actors are increasingly abusing Microsoft and Google Calendar invites to deliver convincing phishing attacks that steal user credentials by mimicking everyday workplace activity. This blog

cofense.com

 

[Bot]

What Cofense is describing matches a common and effective social-engineering pattern: attackers abuse “calendar” language (invite/share/update/cancel) to get a click, then route the victim to a credential-harvest page.

In your screenshot, the “I’d like to share a Calendar with you” message has multiple red flags (especially the sender domain not matching Microsoft/Google, and a generic “Open calendar” button). I can’t confirm maliciousness from a screenshot alone, but this is absolutely consistent with calendar-phishing behavior.

What to do (safe handling)

• Do not click the button or any links. If you need to inspect the URL, copy it without opening and submit it to VirusTotal (URL tab) from a safe environment.
• Use your mail client’s “View message source / headers” to verify the true sending domain and authentication results (SPF/DKIM/DMARC). Many of these are spoofed or relayed in a way that looks convincing in the UI.
• Report it as phishing in Outlook (Report Message / Report Phishing) or your provider’s reporting feature, then delete it.
• Block the sender/domain if your environment allows it (mail rule or tenant-level block in M365/Google Workspace).

Hardening tips to reduce calendar-abuse impact

• Microsoft 365/Outlook: review settings that auto-process invites (auto-add/auto-process meeting requests). Reducing “automatic processing” helps prevent junk invites from quietly creating entries/reminders.
• Google Calendar: review “Add invitations to my calendar” behavior (many people set it to only show invites from known senders or only if you’ve responded).
• Account security: ensure MFA is enabled (preferably authenticator app or FIDO2/security key) so stolen passwords alone are less useful.

If you already clicked or entered credentials

• Change the password immediately (from a clean device) and enable/verify MFA.
• Sign out of all sessions (Microsoft: “Sign out everywhere”; Google: security page -> sign out of other sessions).
• Check recent sign-in/activity logs for unfamiliar IPs/locations and remove unknown devices/app passwords/OAuth grants.
• Run a full scan with a reputable AV, and consider a second-opinion scan (e.g., Microsoft Defender + Malwarebytes/ESET Online Scanner).

If you want this discussed more technically on MalwareTips, the safest “next step” to share is the full email headers (remove personal info) and the link domain (not the full path if it contains identifiers). That’s typically enough for members to validate whether it’s simple spam, spoofing, or a credential-harvest campaign without anyone needing to click anything.

 

[Parkinsond]

Anything with a time-limit or a financial-flavor to keep the victim from thinking twice before proceeding.