The Rise in Spam Calendar Invites Clogging Recipient Inboxes

As spammers become more sophisticated across cloud services, Abnormal is addressing new attacks including this recent malicious calendar invite.
December 27, 2022

Most of us are no stranger to calendar spam. This occurs when random invitations and appointments appear on your calendar, even if you’ve never opened or accepted them. Attackers can embed malicious software within these seemingly typical calendar invites making them challenging to detect and infinitely more dangerous once they gain access to your email account.

In addition, calendar spam clogs up your inbox, making it extremely difficult to keep up with the work you need to focus on. Filtering and clearing out this spam is very time-consuming and attacks often slip through the cracks, creating much larger issues like the one we recently detected here at Abnormal.

Let’s take a deeper look at calendar spam in this real-world example.

Attack Summary

In a recently detected attack, email messages were sent to multiple recipients from various unknown senders using The subject fields of these messages were blank and the body of the email included NSFW links. The goal of this attack was to impact productivity.

  • Platform: Microsoft 365

  • Targets: Users Utilizing Outlook Calendar Invites

  • Payload: Malicious Link

  • Technique: Calendar Invite Impersonation

Attack Technique

A calendar invite that included NSFW link was sent from an unknown sender. For M365 tenants, no .ics file or any other attachment was linked within the calendar invite, which made it unclear that this was a calendar invite. However, Google Workspace tenant recipients of this spam message were better able to help Abnormal identify this type of attack as a calendar invite bomb campaign.

Spam Calendar Invite with .ics Attachment

For O365 customers there was no .ics or any other attachment linked within the calendar invite.

Spam calendar invite

Spam Calendar Event

Thanks to a report from a GSuite customer, we learned this actually was a calendar invite, since O365 generates calendar invitations from Outlook and sends them directly to Outlook without any attachments.

Spam Calendar Blur

Abnormal’s Response

Abnormal actively invested in identifying these messages as calendar invites which helped our detection stack detect future meeting invites from unknown senders from email hosting domains containing young domain links. The following features were added to catch similar messages from entering the customer’s environment.

  1. The first feature was aimed at rapidly containing the spam campaign while still catching most of the newer variants. Signals such as adult vocabulary, sender frequency, frequency of the sender domain to the domain seen in the message body, empty subject line, and the sender being from a free email service.

  2. Longer term, the second feature is aimed at the purpose of detecting future variants and is independent of any text-based signals. This feature uses signals such as the sender being from a free email service, limited body text, number of recipients per message, and domain age.

  3. We also extended email parsing capabilities to more accurately identify Outlook calendar invites within O365 environments. This allows us to detect calendar invite-type emails with very high precision and recall, which will ultimately improve our detection stack.

Prevent Spam Calendar Invites

Customer Impact

Abnormal customers impacted by this attack were mainly in the financial, manufacturing, and media industries. As spammers become more sophisticated across cloud services, Abnormal is addressing new attacks quickly. Within one week, Abnormal updated its detection model to remediate the emails from existing campaigns and prevent similar future campaigns. In the six days since implementing this update, more than 100 similar campaigns have been flagged and remediated out of customer inboxes.

Want to enjoy a similar peace of mind? Schedule a demo to learn more about how Abnormal can detect and remediate spam calendar invites from your organizations' inboxes today.

The Rise in Spam Calendar Invites Clogging Recipient Inboxes

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.


See the Abnormal Solution to the Email Security Problem

Protect your organization from the full spectrum of email attacks with Abnormal.

Integrates Insights Reporting 09 08 22

Related Posts

B Complex Case of Account Compromise Blog
Discover how Abnormal helped one organization detect the sophisticated tactics an attacker used to compromise an employee's email account.
Read More
B Cross Platform Account Takeover
Discover the dangers of cross-platform account takeover, the challenges of detecting this attack, and how to implement proactive protection against ATO.
Read More
B 5 17 24 Legal
Learn how cybercriminals use superficial disclaimers to deceive others while facilitating illegal activity on cybercrime forums.
Read More
B Cybersecurity Influencers Blog 2024
Stay up to date on the latest cybersecurity trends, industry news, and best practices by following these 15 innovative and influential thought leaders on social media.
Read More
B 5 13 24 Docusign
Cybercriminals are abusing Docusign by selling customizable phishing templates on cybercrime forums, allowing attackers to steal credentials for phishing and business email compromise (BEC) scams.
Read More
Abnormal employees honored as CRN 2024 Women of the Channel for their influential leadership in the tech industry.
Read More