In a recent alarming development, users of Microsoft 365 and Outlook are being targeted by a phishing scheme that exploits the trust in calendar invites. The attack involves injecting fake billing alerts directly into users’ calendars, tricking them into interacting with potentially harmful content. Paul, a Microsoft 365 subscriber from Florida, shared his disturbing experience with this scam, where he received calendar events claiming his payment had failed without any prior interaction or email confirmation.
Unlike traditional phishing emails that rely on users clicking suspicious links, this scam is more insidious. It exploits the fact that calendar invite settings in Microsoft 365 can automatically add events to a user’s calendar, giving scammers a more legitimate and urgent appearance. The scam often includes malicious attachments or links embedded within the calendar event, making it a two-pronged attack on the user’s security. This type of phishing tactic is not only effective but also difficult for traditional email security filters to detect as it bypasses many of the usual checks.
Microsoft has taken some steps to address the issue, though users may still find themselves at risk. The new versions of Outlook have limited control over handling calendar invites. While older versions offer better options for ignoring or deleting events without triggering an alert, newer versions have less functionality in this regard. As a result, users are advised to avoid any type of response to the event, including declining or previewing it, as this can notify the sender and confirm their email is active.
Experts recommend that users take proactive measures to protect themselves against such attacks. This includes reviewing account activity, using strong antivirus software, and reporting suspicious events from the inbox instead of the calendar view. The potential financial and personal data implications of these attacks are significant, prompting users to remain vigilant and secure their accounts against the ongoing threat of phishing through calendar invites.