Microsoft Outlook email inbox

New Phishing Campaign Exploits Calendar Invites to Steal Tokens

Security researchers identify a shift toward "CalPhishing" tactics that bypass traditional email filters and persist in user workflows.

Security researchers at Fortra Intelligence and Research Experts (FIRE) have uncovered an emerging phishing campaign that leverages calendar invites to bypass traditional security gateways. The campaign, which researchers link to the EvilTokens phishing kit, utilizes iCalendar (.ics) files to insert malicious links and attachments directly into employee schedules.

By shifting the attack vector from the email inbox to the calendar, threat actors can circumvent standard email security tools that often fail to scan calendar artifacts with the same rigor as standard messages.

Persistence and Delivery

The most critical aspect of this "CalPhishing" technique is its persistence. When a malicious invite is sent, the Outlook client typically processes the .ics file and places a tentative entry on the user’s calendar automatically.

Even if the original delivery email is flagged as spam or deleted by the user, the calendar entry remains active. This creates a longer window for interaction, as the user may eventually engage with the meeting via a desktop reminder or mobile notification.

The Attack Flow

Researchers identified two primary lures: urgent Microsoft 365 administrative alerts regarding failed domain renewals and requests for digital signatures on vendor invoices. The attack sequence typically follows a specific path:

  • Initial Invite: The victim receives a meeting request containing an HTML attachment or a link masquerading as an admin portal.
  • ConsentFix Exploitation: If the user clicks the link, they are directed to a legitimate Microsoft device authentication page.
  • Token Theft: Using a technique known as "device code phishing" or ConsentFix, the attacker captures the session token once the user authenticates, granting the actor access to the account without needing a password.

Impact and Mitigation

A successful compromise allows threat actors to bypass multi-factor authentication (MFA) and move laterally through cloud environments. In cases involving privileged accounts, attackers may disrupt infrastructure or implement long-term persistence.

Security experts suggest that organizations review automatic calendar processing configurations and implement conditional access policies to restrict device code authentication flows. Standard remediation workflows must also be updated to include "hard-delete" actions that remove calendar artifacts rather than just the delivery email.

About the Author

Jesse Jacobs is assistant editor of SecurityToday.com.

Featured

New Products

  • Mobile Safe Shield

    Mobile Safe Shield

    SafeWood Designs, Inc., a manufacturer of patented bullet resistant products, is excited to announce the launch of the Mobile Safe Shield. The Mobile Safe Shield is a moveable bullet resistant shield that provides protection in the event of an assailant and supplies cover in the event of an active shooter. With a heavy-duty steel frame, quality castor wheels, and bullet resistant core, the Mobile Safe Shield is a perfect addition to any guard station, security desks, courthouses, police stations, schools, office spaces and more. The Mobile Safe Shield is incredibly customizable. Bullet resistant materials are available in UL 752 Levels 1 through 8 and include glass, white board, tack board, veneer, and plastic laminate. Flexibility in bullet resistant materials allows for the Mobile Safe Shield to blend more with current interior décor for a seamless design aesthetic. Optional custom paint colors are also available for the steel frame.

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions.

  • Schlage Sense Pro

    Schlage Sense Pro™ Smart Deadbolt

    Deliver true hands-free entry and reliable smart home integration with a premium deadbolt featuring Schlage Converge™ technology and native Matter over Thread support.