Criminals and other bad actors like spammers and phishers are always finding new ways to get to your inbox. Fake meeting requests or fake calendar invites are another example of them finding away to bypass filters and trick you into responding. In 2025 the latest trick to get past your spam filters is to attach a calendar invite (ICS) as an attachment to a normal email that is very generic.
What is a fake meeting or fake calendar invite.
The ICS calendar file format allows a bad actor to craft an invite and use it to hide the normal obvious signs that a sender’s message is malicious. Typically these invites use call to actions buttons to hide the bad actors URL and use the invites note field to help with their social engineering.
Why the fake calendar invite works.
Currently mail servers treat calendar invites differently from normal files like a Word, PDF or PowerPoint file. The invite gets added to your calendar, either as a needs to be accepted or automatically accepted meeting request. This behavior also happens in Teams and other collaboration platforms. If the message then gets quarantined or marked a spam by the system the calendar item stays on the recipient’s calendar.
If the end user has set their mail client settings to automatically process these invites then when a message is received it will automatically add the invite to the calendar and delete the message without the users intervention.
What you can do about it.
There are two strategies that can be used to combat this issues. The first one is configuring your calendar program’s default meeting invite behavior. The second is to configure your mail server to make exceptions when handling incoming invites in email. The second option isn’t for everyone but it can make sense for some organizations.
Your calendar program, like Outlook or GMail, or your collaboration program, like Teams, has a default behavior for incoming meeting invites. Turn off all automatic handling of meeting invites. This leaves the email message in your inbox or shared Team’s folder to be manually processed. It gives the end user a chance to ask why did I receive this invite.
The more drastic option is to configure your mail server to block messages with an invite.
I’m gather some other information to add to this section so check back later.
What is typical found in a fake calendar invite.
The first thing is urgency. I’ve seen examples that falsely indicate 1) your domain name is about to expire, 2) your health insurance is going to get cancelled in the next 72 hours, 3) you need to make a tax payment today and 4) your email account is getting suspended or the password expired.
The actual meeting invite will either have a socially engineered message with links that go to compromised servers or will have an attachment that does the social engineering.
Sometimes the invite will connect you to a live person in a fake call center either via a 3rd party meeting app, a phone call or messaging service.
Known bad “From” addresses and “Subject” lines.
This is a list of known bad From: addresses.
- Microsoft Domain Expiry <[email protected]>
This is a list of known bad Subject: lines
- URGENT: Expiry Alerts For {your domain} – {Date and timestamp in a full UTC mode}, ({Random number})
What you can do to help.
If you are a Microsoft client either with an on-premise Exchange server or with Office 365 you upvote this feedback request. I haven’t seen anything feedback vote for Google’s GMail service but if I find one I’ll add it here.
Did you get a clue?
If you got a clue and want to thank me, then visit the thank me page. It’s the best way to keep me publishing articles and keeping this site operation.
This site uses affiliate links. When you go to another site from here the link typically will have an affiliate code attached to it. Your actions on that site may earn a small commission for me. Read our affiliate link policy for more details.
{fin}
Reference
- None