chat
expand_more

The Rise in Spam Calendar Invites Clogging Recipient Inboxes

As spammers become more sophisticated across cloud services, Abnormal is addressing new attacks including this recent malicious calendar invite.
December 27, 2022

Most of us are no stranger to calendar spam. This occurs when random invitations and appointments appear on your calendar, even if you’ve never opened or accepted them. Attackers can embed malicious software within these seemingly typical calendar invites making them challenging to detect and infinitely more dangerous once they gain access to your email account.

In addition, calendar spam clogs up your inbox, making it extremely difficult to keep up with the work you need to focus on. Filtering and clearing out this spam is very time-consuming and attacks often slip through the cracks, creating much larger issues like the one we recently detected here at Abnormal.

Let’s take a deeper look at calendar spam in this real-world example.

Attack Summary

In a recently detected attack, email messages were sent to multiple recipients from various unknown senders using outlook.com. The subject fields of these messages were blank and the body of the email included NSFW links. The goal of this attack was to impact productivity.

  • Platform: Microsoft 365

  • Targets: Users Utilizing Outlook Calendar Invites

  • Payload: Malicious Link

  • Technique: Calendar Invite Impersonation

Attack Technique

A calendar invite that included NSFW link was sent from an unknown sender. For M365 tenants, no .ics file or any other attachment was linked within the calendar invite, which made it unclear that this was a calendar invite. However, Google Workspace tenant recipients of this spam message were better able to help Abnormal identify this type of attack as a calendar invite bomb campaign.

Spam Calendar Invite with .ics Attachment

For O365 customers there was no .ics or any other attachment linked within the calendar invite.

Spam calendar invite

Spam Calendar Event

Thanks to a report from a GSuite customer, we learned this actually was a calendar invite, since O365 generates calendar invitations from Outlook and sends them directly to Outlook without any attachments.

Spam Calendar Blur

Abnormal’s Response

Abnormal actively invested in identifying these messages as calendar invites which helped our detection stack detect future meeting invites from unknown senders from email hosting domains containing young domain links. The following features were added to catch similar messages from entering the customer’s environment.

  1. The first feature was aimed at rapidly containing the spam campaign while still catching most of the newer variants. Signals such as adult vocabulary, sender frequency, frequency of the sender domain to the domain seen in the message body, empty subject line, and the sender being from a free email service.

  2. Longer term, the second feature is aimed at the purpose of detecting future variants and is independent of any text-based signals. This feature uses signals such as the sender being from a free email service, limited body text, number of recipients per message, and domain age.

  3. We also extended email parsing capabilities to more accurately identify Outlook calendar invites within O365 environments. This allows us to detect calendar invite-type emails with very high precision and recall, which will ultimately improve our detection stack.

Prevent Spam Calendar Invites

Customer Impact

Abnormal customers impacted by this attack were mainly in the financial, manufacturing, and media industries. As spammers become more sophisticated across cloud services, Abnormal is addressing new attacks quickly. Within one week, Abnormal updated its detection model to remediate the emails from existing campaigns and prevent similar future campaigns. In the six days since implementing this update, more than 100 similar campaigns have been flagged and remediated out of customer inboxes.

Want to enjoy a similar peace of mind? Schedule a demo to learn more about how Abnormal can detect and remediate spam calendar invites from your organizations' inboxes today.

The Rise in Spam Calendar Invites Clogging Recipient Inboxes

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Get AI Protection for Your Human Interactions

Protect your organization from socially-engineered email attacks that target human behavior.
Request a Demo
Request a Demo

Related Posts

B Proofpoint Customer Story F500 Insurance Provider
A Fortune 500 insurance provider blocked 6,454 missed attacks and saved 341 SOC hours per month by adding Abnormal to address gaps left by Proofpoint.
Read More
B Malicious AI Platforms Blog
What happened to WormGPT? Discover how AI tools like WormGPT changed cybercrime, why they vanished, and what cybercriminals are using now.
Read More
B MKT748 Open Graph Images for Cyber Savvy 7
Explore insights from Brian Markham, CISO at EAB, as he discusses cybersecurity challenges, building trust in education, adapting to AI threats, and his goals for the future. Learn how he and his team are working to make education smarter while prioritizing data security.
Read More
B Manufacturing Industry Attack Trends Blog
New data shows a surge in advanced email attacks on manufacturing organizations. Explore our research on this alarming trend.
Read More
B Dropbox Open Enrollment Attack Blog
Discover how Dropbox was exploited in a sophisticated phishing attack that leveraged AiTM tactics to steal credentials during the open enrollment period.
Read More
B AISOC
Discover how AI is transforming security operation centers by reducing noise, enhancing clarity, and empowering analysts with enriched data for faster threat detection and response.
Read More