The Rise in Spam Calendar Invites Clogging Recipient Inboxes

As spammers become more sophisticated across cloud services, Abnormal is addressing new attacks including this recent malicious calendar invite.
December 27, 2022

Most of us are no stranger to calendar spam. This occurs when random invitations and appointments appear on your calendar, even if you’ve never opened or accepted them. Attackers can embed malicious software within these seemingly typical calendar invites making them challenging to detect and infinitely more dangerous once they gain access to your email account.

In addition, calendar spam clogs up your inbox, making it extremely difficult to keep up with the work you need to focus on. Filtering and clearing out this spam is very time-consuming and attacks often slip through the cracks, creating much larger issues like the one we recently detected here at Abnormal.

Let’s take a deeper look at calendar spam in this real-world example.

Attack Summary

In a recently detected attack, email messages were sent to multiple recipients from various unknown senders using The subject fields of these messages were blank and the body of the email included NSFW links. The goal of this attack was to impact productivity.

  • Platform: Microsoft 365

  • Targets: Users Utilizing Outlook Calendar Invites

  • Payload: Malicious Link

  • Technique: Calendar Invite Impersonation

Attack Technique

A calendar invite that included NSFW link was sent from an unknown sender. For M365 tenants, no .ics file or any other attachment was linked within the calendar invite, which made it unclear that this was a calendar invite. However, Google Workspace tenant recipients of this spam message were better able to help Abnormal identify this type of attack as a calendar invite bomb campaign.

Spam Calendar Invite with .ics Attachment

For O365 customers there was no .ics or any other attachment linked within the calendar invite.

Spam calendar invite

Spam Calendar Event

Thanks to a report from a GSuite customer, we learned this actually was a calendar invite, since O365 generates calendar invitations from Outlook and sends them directly to Outlook without any attachments.

Spam Calendar Blur

Abnormal’s Response

Abnormal actively invested in identifying these messages as calendar invites which helped our detection stack detect future meeting invites from unknown senders from email hosting domains containing young domain links. The following features were added to catch similar messages from entering the customer’s environment.

  1. The first feature was aimed at rapidly containing the spam campaign while still catching most of the newer variants. Signals such as adult vocabulary, sender frequency, frequency of the sender domain to the domain seen in the message body, empty subject line, and the sender being from a free email service.

  2. Longer term, the second feature is aimed at the purpose of detecting future variants and is independent of any text-based signals. This feature uses signals such as the sender being from a free email service, limited body text, number of recipients per message, and domain age.

  3. We also extended email parsing capabilities to more accurately identify Outlook calendar invites within O365 environments. This allows us to detect calendar invite-type emails with very high precision and recall, which will ultimately improve our detection stack.

Prevent Spam Calendar Invites

Customer Impact

Abnormal customers impacted by this attack were mainly in the financial, manufacturing, and media industries. As spammers become more sophisticated across cloud services, Abnormal is addressing new attacks quickly. Within one week, Abnormal updated its detection model to remediate the emails from existing campaigns and prevent similar future campaigns. In the six days since implementing this update, more than 100 similar campaigns have been flagged and remediated out of customer inboxes.

Want to enjoy a similar peace of mind? Schedule a demo to learn more about how Abnormal can detect and remediate spam calendar invites from your organizations' inboxes today.

The Rise in Spam Calendar Invites Clogging Recipient Inboxes

See Abnormal in Action

Schedule a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.


See the Abnormal Solution to the Email Security Problem

Protect your organization from the full spectrum of email attacks with Abnormal.

Integrates Insights Reporting 09 08 22

Related Posts

B 2024 Cybersecurity Predictions
As AI becomes more prevalent in the new year, discover how our experts believe the world will change—for both good and bad.
Read More
B 11 27 23 ATO Stats
Account takeover allows threat actors to steal sign-in credentials and access an organization's network. Read some eye-popping stats about ATO cost and frequency.
Read More
B Unmasking Vendor Fraud
Learn about the techniques, tools, and technologies we use to train the models that form the backbone of our vendor fraud detection.
Read More
Get the latest insights from the 2023 ISC2 Cybersecurity Workforce Study, including which skills are most sought-after, how careers have changed, and how AI is affecting the industry.
Read More
B Good Bad Ugly Future of AI
Hear about positive and malicious use cases of AI and how to protect against novel threats in this recap from Chapter 3 of our Convergence of AI + Cybersecurity series.
Read More
B Cryptocurrency Donations Attack
Attackers attempt to solicit fraudulent donations via cryptocurrency transfers under the guise of collecting donations for children in Palestine.
Read More