Calendar invites were built to make collaboration simple. In Outlook, they organize schedules, align teams, and keep the workday moving. But the same scheduling tools that help enterprises run smoothly are being leveraged against them.

Attackers are now using calendar invites as a quiet entry point. By sending what appear to be legitimate meeting requests, they can exploit Outlook’s logic to automatically add events to user calendars. These messages look routine, but the meetings they create are anything but. A single invitation can open the door to unwanted or malicious content that lingers after the email disappears.

To address the rise of calendar-based phishing campaigns, Abnormal has launched Calendar Invite Remediation. This capability automatically removes malicious or unwanted calendar events that Outlook generates from phishing or spam messages, preventing users from interacting with them. The solution extends Abnormal’s protection beyond the inbox, applying the same precision and intelligence that safeguard email to the calendar.

Attackers are increasingly using calendar data as a new vector to reach users. By embedding calendar details in phishing and spam emails, they exploit how Outlook interprets scheduling information and automatically adds events to user calendars.

Abnormal has identified two primary methods behind these attacks. The first involves .ics attachments that Outlook reads as legitimate meeting requests. The second is harder to spot: embedded invites hidden in the email’s raw EML code. These invites are added so quietly that nothing in the message body hints at a meeting, but Outlook still creates the event as soon as the message is delivered.

Abnormal detects these calendar invites by examining message headers, attachments, and MIME types that reveal hidden scheduling data. These indicators show when a message contains a concealed or attached invite, while Abnormal’s behavioral analysis determines whether the original email is malicious. Together, these capabilities enable Calendar Invite Remediation to remove any associated events once a phishing or spam message is remediated, maintaining consistent protection across both email and calendar.

Abnormal recently detected a credential-phishing campaign disguised as a Microsoft Teams meeting notification. The emails closely mimicked legitimate Teams reminders, including meeting details, passcodes, and a Join the Meeting Now button.

Key characteristics of the campaign:

• Authentic appearance: Each message passed SPF, DKIM, and DMARC validation, giving it the technical legitimacy needed to bypass reputation-based filters.

• Auto-created calendar event: The email included an .ics attachment that prompted Outlook to automatically create a calendar event titled Reminder of Scheduled Meeting.

• Convincing details: A real meeting ID, passcode, and Microsoft branding reinforced the illusion of authenticity.

Clicking Join the meeting now opened what looked like a legitimate Microsoft login page. In reality, the link redirected to a compromised Azure Web App hosting a malicious OAuth authorization request. The unverified app Please Confirm Attendance – Meeting Request requested permissions to read the user’s profile and maintain continuous access to their data. Granting those permissions would have given attackers persistent access to Microsoft 365 through legitimate API calls, bypassing password and MFA protections.

With Calendar Invite Remediation, Abnormal can now stop similar attacks by:

• Containing attacks before users can engage: Abnormal detects and remediates phishing emails before any user interaction.

• Removing malicious meetings automatically: Calendar Invite Remediation eliminates the Outlook-generated events, preventing users from seeing or clicking lingering invites.

• Protecting the user experience: Legitimate calendar events remain unaffected, preserving trust in daily scheduling.

• Providing consistent coverage across surfaces: Detection and response apply seamlessly across both email and calendar, with every event visible in the Threat Log for investigation.

When Abnormal detects and remediates a phishing or spam message, the system checks whether it created a related calendar event. If so, Abnormal uses authorized Graph API calls to delete the confirmed unwanted event. This process ensures only malicious items are removed, while legitimate meetings remain untouched. Through guided setup, customers grant Graph API and PowerShell permissions for both deletion and restoration, enabling recovery if a message is later marked safe. The result is precise, reliable remediation that preserves normal scheduling and user trust. Automated removal eliminates manual cleanup and reduces investigation workload.

Attackers constantly develop new ways to reach users, and Abnormal stays ahead by anticipating where those threats will surface next. Calendar Invite Remediation extends protection beyond the inbox to the tools employees rely on every day. By connecting detection, response, and remediation across email and calendar data, Abnormal gives organizations confidence their defenses are ready whenever bad actors change tactics.

Ready to see how Abnormal stops evolving attacks across cloud email and calendar environments? Request a personalized demo.