Attackers Disguise Malware as Calendar Invite Attachment

December 9, 2021

Meeting invites are one of the most common types of emails sent today, so it should come as no surprise that attackers have found a way to manipulate them. Multiple organizations that utilize Abnormal Security recently received emails which contained a .ics attachment—an invitation file commonly used to populate online calendar applications with meeting and event information.

The potential danger arises when a user clicks on the supposed ICS file, unknowingly commencing the process to download malware exploiting the Dynamic Data Exchange (DDE) vulnerability present in Microsoft applications.

About the Calendar Invite Attack

First discovered in summer 2021, calendar invite attacks (CIAs) have been increasingly targeting Abnormal customers across a wide range of industries. Unlike credential phishing attacks, which request a recipient’s login credentials for a popular email service provider or other service, calendar invite attacks are disguised as ICS files, which are commonly used to reserve time on the recipient’s calendar application for an event such as a Zoom or Microsoft Teams meeting.

Unfortunately, the popularity of hosting events or holding meetings virtually makes it easier than ever for bad actors to persuade recipients into clicking a malicious attachment masquerading as a calendar invite file. In this example, the email simply states “download to read” and includes an ICS file attachment.

Calendar invite email

Because the attachment is a known file type, these attacks bypass traditional email security tools and may trick recipients into opening them, believing the file type to be safe.

Calendar attachment

Using Social Engineering for ICS Attacks

Before analyzing the contents of the malware, let’s take a look at the social engineering techniques involved in this attack. In this campaign, attacks with the same subject line were sent to various types of organizations, including media companies.

It would not be unforgiving to speculate that, given the subject line and the sender domain, the recipient was perhaps expecting information regarding a judgment for an employee against a school district in California, as noted in this article. By targeting those who would be most interested in the information, the attacker encourages recipients to click—ultimately downloading the malware that has bypassed security filters with its ICS file type.

Making it even harder to detect, the attack passed authentication from the sender domain. Further analysis by Abnormal shows that the messages were sent from numerous different country domains, including India, Italy, and South Korea, all containing vague and succinct language that was followed by a .ics attachment ready to be downloaded.

The Virus That Evades Antivirus

What makes this attack quite dangerous when compared to others is how much more covert it is. The bad actor simply has to find a way to force the recipient into commencing the Dynamic Data Exchange (DDE) protocol, a protocol in which a plethora of Microsoft applications use to communicate with one another, and provide a prompt to ask the user whether they would like the application to run. The most active portion of the code has been highlighted below.

Calendar invite malware code

Upon completion, the malware has been installed after which the threat actor can perform a variety of nefarious acts.

Detecting and Removing the Calendar Invite Attack

Fortunately for the customer described in this scenario, the attack was stopped within nine seconds of reaching the user’s mailbox. It was remediated once again when a carbon copy of the attack was received by the same user five days later.

And it appears that this attack type may not be going away in the near future, as cybercriminals have found a new way to bypass secure email gateways. After all, ICS files are used in millions of legitimate emails each day, and recipients are likely to click on something they see as familiar.

In the dozens of calendar invite attacks that have been found since, Abnormal’s machine learning algorithm and security analysts worked in tandem to label each calendar invite attack as malicious, remediating it from the recipients' inboxes before the malware could be accessed.

To learn how Abnormal detects ICS file attacks, without blocking all calendar invitations sent to your organization, request a demo today.

Related Posts

Blog customer communications leads to product innovation
Learn how customers have influenced the latest round of product enhancements to better protect your organization from email-borne threats.
Read More
Blog attack detection efficacy cover
Abnormal’s relentless pursuit of innovation significantly improves the detection efficacy of hidden payloads in emails by an additional 5%.
Read More
Blog mnru cover
Estimating both the time and cost to complete a task has been a continual challenge for engineering teams as long as I’ve been working in industry. Coordinating the complex interactions and execution task sequencing across multiple tasks and people is a complex, ever-evolving challenge, and one that most teams struggle with daily.
Read More
Blog what do phishing emails cover
Phishing attacks are on the rise; the FBI reports that such attacks cost $54 billion in 2020, and phishing complaints increased by a whopping 110% from 2019 to 2020. If you're one of the many people targeted by a phishing email, you're not alone.
Read More
Blog holiday scams cover
We've arrived at that time of year—a time for reflection and celebration and spending time with family, and also that time of year where the cyber grinches hope to spoil the holiday fun.
Read More
Log4j email blog cover
Over the last few days, Abnormal has successfully blocked multiple attempts by attackers to deliver emails similar to these to our customers’ unsuspecting end users.
Read More
Blog securitry privacy cover
Customers place tremendous trust in Abnormal to protect them from the full spectrum of attacks when they provide us access to the email stored in Microsoft 365 or Google Workspace. To that end, we’re focused on protecting your data and building your trust.
Read More
Blog podcast role cto
Tim Tully, Partner at Menlo Ventures, grew up in Silicon Valley, where a love for coding was kindled in him. Tim is a technologist to the core, which innately led him to become an elite technical leader at companies like Splunk and Yahoo.
Read More
Blog canadian visa cover
Abnormal Security recently identified a scam aimed at the Canadian electronic travel authorization (eTA) program, which bears a striking resemblance to a long-standing fraud scheme described in our post from several weeks ago targeting TSA travel program applicants.
Read More
Automate abuse mailbox cover
Managing and monitoring an Abuse Mailbox can be a significant pain point for IT security teams, particularly large organizations with thousands of employees.
Read More
Blog calendar invite attack cover
Meeting invites are one of the most common types of emails sent today, so it should come as no surprise that attackers have found a way to manipulate them. Scores of recipients that utilize Abnormal Security recently received emails that contained a .ics attachment—an invitation file commonly used to populate online calendar applications with meeting and event information.
Read More
Blog saving memory python cover
At a hyper-growth startup, a solution from six months ago will unfortunately no longer scale. The business is growing rapidly, and this traffic to this service in particular was growing at an unprecedented rate. We hit a point where it needed re-architecting to support 10x the current scale.
Read More