Cybercriminals Exploit Calendar Invites in New "CalPhishing" Attack, Bypassing Security Controls
A newly uncovered cyberattack campaign, dubbed CalPhishing, is leveraging calendar invites to hijack user accounts, according to a report by Fortra Intelligence and Research Experts (FIRE). Active since early 2026, the attack exploits iCalendar (.ics) files to bypass traditional security measures, embedding malicious meetings directly into victims’ schedules without requiring them to open the original email.
How the Attack Works
The campaign begins with an email disguised as an urgent administrative alert common subject lines include "Domain Renewal Failed" or "Reminder for Signature – Vendor Information Verification." Once processed by Outlook, the .ics file automatically adds a "tentative" meeting to the victim’s calendar, triggering official notifications and reminders. Hackers manipulate key fields within the invite:
- Summary: Creates false urgency.
- Location: References an "attached file" to appear legitimate.
- Description: Contains phishing instructions.
When opened, the meeting displays an HTML file mimicking an admin portal. Clicking it initiates a series of redirects through Cloudflare to evade security scans.
Two Primary Lures
Researchers identified two main deception tactics:
- Fake Microsoft 365 Domain Renewal Alerts – Directs victims to a spoofed GoDaddy page.
- Fake DocuSign Signature Requests – Tricks users into "signing" an invoice via a fraudulent portal.
The attack employs ConsentFix (also known as device code phishing), a technique that steals session tokens rather than passwords. This allows hackers to bypass multi-factor authentication (MFA) by using the EvilTokens phishing kit, sold on Telegram, to automate the process. Once compromised, attackers can exfiltrate data, disrupt systems, or maintain persistent access.
Persistence and AI-Driven Automation
A key concern is the attack’s longevity standard security tools often overlook .ics files due to their trusted nature. Even if the original email is deleted or marked as junk, the meeting remains on the calendar unless manually hard-deleted. FIRE researchers warn that threat actors are likely using AI to scale these attacks, ensuring victims remain exposed long after the initial compromise.
The report highlights the growing sophistication of phishing tactics, where seemingly benign calendar invites become a vector for account takeover and data breaches.
Source: https://hackread.com/calphishing-eviltokens-kit-outlook-invites-m365/
GoDaddy cybersecurity rating report: https://www.rankiteo.com/company/godaddy
"id": "GOD1778848590",
"linkid": "godaddy",
"type": "Cyber Attack",
"date": "1/2026",
"severity": "60",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'type': 'Businesses, Organizations'}],
'attack_vector': 'Calendar invites (.ics files), Email',
'data_breach': {'data_exfiltration': 'Possible (attackers maintain persistent '
'access)',
'sensitivity_of_data': 'High (session tokens can bypass MFA)',
'type_of_data_compromised': 'Session tokens, User '
'credentials'},
'date_detected': '2026-01-01',
'description': 'A newly uncovered cyberattack campaign, dubbed *CalPhishing*, '
'leverages calendar invites to hijack user accounts by '
'exploiting iCalendar (.ics) files to bypass traditional '
'security measures. The attack embeds malicious meetings '
'directly into victims’ schedules without requiring them to '
'open the original email. The campaign uses fake Microsoft 365 '
'domain renewal alerts and DocuSign signature requests to '
'trick victims into granting access via device code phishing, '
'bypassing multi-factor authentication (MFA).',
'impact': {'brand_reputation_impact': 'Potential damage to brand reputation '
'due to phishing attacks',
'data_compromised': 'Session tokens, User credentials, Potentially '
'sensitive business data',
'identity_theft_risk': 'High (session tokens and credentials '
'compromised)',
'operational_impact': 'Potential disruption of business '
'operations, Unauthorized access to systems',
'systems_affected': 'Microsoft 365 accounts, Email systems, '
'Calendar applications'},
'initial_access_broker': {'backdoors_established': 'Session token theft '
'(EvilTokens phishing kit)',
'entry_point': 'Calendar invites (.ics files), '
'Email'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Calendar invites (.ics files) can be exploited to bypass '
'traditional security measures. Security tools often '
'overlook .ics files due to their trusted nature. '
'Persistent access can be maintained even after the '
'initial email is deleted. AI-driven automation is being '
'used to scale phishing attacks.',
'motivation': 'Account takeover, Data exfiltration, Persistent access',
'post_incident_analysis': {'corrective_actions': 'Disable automatic '
'processing of .ics files, '
'Implement manual review '
'processes for calendar '
'invites, Enhance monitoring '
'for device code phishing '
'attempts',
'root_causes': 'Automatic processing of iCalendar '
'files, Lack of scrutiny on '
'calendar invites, Device code '
'phishing (ConsentFix) enabling MFA '
'bypass'},
'recommendations': 'Manually review and hard-delete suspicious calendar '
'invites. Implement stricter controls on automatic '
'processing of .ics files. Educate employees on '
'recognizing phishing tactics in calendar invites. Monitor '
'for unusual session token activity. Deploy advanced '
'threat detection for device code phishing.',
'references': [{'source': 'Fortra Intelligence and Research Experts (FIRE)'}],
'response': {'third_party_assistance': 'Fortra Intelligence and Research '
'Experts (FIRE)'},
'title': 'CalPhishing Attack: Cybercriminals Exploit Calendar Invites to '
'Hijack Accounts',
'type': 'Phishing',
'vulnerability_exploited': 'Automatic processing of iCalendar files, Trust in '
'calendar notifications, Device code phishing '
'(ConsentFix)'}