A new and sophisticated digital attack technique is allowing criminals to insert fake appointments, full of malicious links and attachments, directly into the calendars of Google Workspace and Microsoft 365 users. The tactic, called ICS phishing, exploits the functionality of automatically scheduling events via email, managing to bypass the security barriers that normally block suspicious messages in the inbox.
The email defense mechanism may even identify the malicious message and send it to quarantine, but the calendar event with all the scam content has already been created and remains on the victim’s calendar. This security gap represents a leap in the sophistication of attacks, focusing on an area — the calendar — that traditional API-based security solutions and gateways cannot effectively monitor or remediate after the event has been created.
How the scam works: from the inbox to the calendar
The vulnerability lies in the way Google and Microsoft process the .ics (Internet Calendar Scheduling) format, the standard for calendar invitations. When receiving an email with this file attached, both platforms automatically create the event in the calendar, without requiring any confirmation or click from the user, a feature designed to facilitate the corporate routine.
The malicious payload of this attack is an attached HTML file that, when opened, executes a complete phishing kit locally on the victim’s computer, creating a fake Microsoft Domain Services page in the temporary directory, which makes detection more difficult for network filters.
Mitigation measures to protect corporate accounts
It is essential that companies and users review the security settings of their accounts. You can configure Google Workspace and Microsoft 365 to block automatic invitations, requiring user confirmation before creating the calendar event.
This simple configuration change is the most effective way to mitigate the risk of ICS phishing, ensuring that the malicious event does not materialize in the agenda even if the email is not completely intercepted by the security gateway. Employee awareness of the nature of the attack is a crucial complement.
The security hole exploited in ICS
The success of phishing via calendar invitations is due to the blindness of defense systems in relation to the backend
of productivity platforms. Criminals exploited a loophole that most companies didn’t know existed, turning a productivity tool into a persistent and difficult-to-remove attack vector. Adopting new cybersecurity strategies that actively monitor calendar services is urgent to neutralize this evolving threat.The problem is made worse because most email security solutions do not have the ability to remove malicious entries already created in calendars. The original message may be deleted, but the schedule remains active.
In Microsoft 365, the situation is particularly critical, as the platform automatically transfers email attachments to the calendar event. This means that a dangerous attachment, such as a malicious PDF or HTML, migrates from the blocked message to the address book without undergoing further security analysis.
Trust Abuse Strategies and Conflicting Instructions
One of the attacks identified shows how criminals use legitimate services to give the scam credibility. In this case, FreeConferenceCall.com, a real platform for virtual meetings, was used to schedule a conference call.
- The scammer schedules a legitimate meeting on the service, which generates the standard invitation with access data.
- In the body of the email, a “conflicting instruction” is inserted: a message that asks the victim to ignore the automatic data and call an alternative telephone number, controlled by the criminal.
- The calendar invitation .ics file is generated with the malicious information, ensuring that the fake number reaches the victim’s calendar.
- The victim, upon seeing the official event on the calendar days later, calls the number andfalls directly into voice phishing.
QR code attacks and professional phishing kit
Other tactics reveal the investment in professionalism on the part of the attackers. A minimalist attack uses an almost empty email, containing just a PDF attached with a credential stealing QR code.
The PDF pretends to be a Docusign document and instructs the victim to scan the QR Code with their cell phone to “verify your document” or “sign the pending contract”. Because the attachment is transferred to the calendar event, the victim can access it directly from their calendar, months after the original email was discarded. The use of QR Codes is strategic, as many security systems do not analyze their content, and action on a cell phone can bypass corporate protections.
A third example demonstrates high sophistication. The fake event not only uses psychological triggers such as urgency and fear of loss (“Your domain company.com.br expires in 48 hours”) but also blocks the entire week in the victim’s calendar under the title of “SERVICE INTERRUPTION”. To increase credibility, the event’s attendee list includes fictitious guests with generic names such as “Administrator” and “IT Support”, simulating involvement from other areas of the company.
The malicious payload of this attack is an attached HTML file that, when opened, executes a complete phishing kit locally on the victim’s computer, creating a fake Microsoft Domain Services page in the temporary directory, which makes detection more difficult for network filters.
Mitigation measures to protect corporate accounts
It is essential that companies and users review the security settings of their accounts. You can configure Google Workspace and Microsoft 365 to block automatic invitations, requiring user confirmation before creating the calendar event.
This simple configuration change is the most effective way to mitigate the risk of ICS phishing, ensuring that the malicious event does not materialize in the agenda even if the email is not completely intercepted by the security gateway. Employee awareness of the nature of the attack is a crucial complement.
The security hole exploited in ICS
The success of phishing via calendar invitations is due to the blindness of defense systems in relation to the backend of productivity platforms. Criminals exploited a loophole that most companies didn’t know existed, turning a productivity tool into a persistent and difficult-to-remove attack vector. Adopting new cybersecurity strategies that actively monitor calendar services is urgent to neutralize this evolving threat.