New Phishing Campaign Exploits Calendar Invites to Steal Tokens
Security researchers identify a shift toward "CalPhishing" tactics that bypass traditional email filters and persist in user workflows.
- By Jesse Jacobs
- May 15, 2026
Security researchers at Fortra Intelligence and Research Experts (FIRE) have uncovered an emerging phishing campaign that leverages calendar invites to bypass traditional security gateways. The campaign, which researchers link to the EvilTokens phishing kit, utilizes iCalendar (.ics) files to insert malicious links and attachments directly into employee schedules.
By shifting the attack vector from the email inbox to the calendar, threat actors can circumvent standard email security tools that often fail to scan calendar artifacts with the same rigor as standard messages.
Persistence and Delivery
The most critical aspect of this "CalPhishing" technique is its persistence. When a malicious invite is sent, the Outlook client typically processes the .ics file and places a tentative entry on the user’s calendar automatically.
Even if the original delivery email is flagged as spam or deleted by the user, the calendar entry remains active. This creates a longer window for interaction, as the user may eventually engage with the meeting via a desktop reminder or mobile notification.
The Attack Flow
Researchers identified two primary lures: urgent Microsoft 365 administrative alerts regarding failed domain renewals and requests for digital signatures on vendor invoices. The attack sequence typically follows a specific path:
- Initial Invite: The victim receives a meeting request containing an HTML attachment or a link masquerading as an admin portal.
- ConsentFix Exploitation: If the user clicks the link, they are directed to a legitimate Microsoft device authentication page.
- Token Theft: Using a technique known as "device code phishing" or ConsentFix, the attacker captures the session token once the user authenticates, granting the actor access to the account without needing a password.
Impact and Mitigation
A successful compromise allows threat actors to bypass multi-factor authentication (MFA) and move laterally through cloud environments. In cases involving privileged accounts, attackers may disrupt infrastructure or implement long-term persistence.
Security experts suggest that organizations review automatic calendar processing configurations and implement conditional access policies to restrict device code authentication flows. Standard remediation workflows must also be updated to include "hard-delete" actions that remove calendar artifacts rather than just the delivery email.