The Rise in Spam Calendar Invites Clogging Recipient Inboxes

Most of us are no stranger to calendar spam. This occurs when random invitations and appointments appear on your calendar, even if you’ve never opened or accepted them. Attackers can embed malicious software within these seemingly typical calendar invites making them challenging to detect and infinitely more dangerous once they gain access to your email account.

In addition, calendar spam clogs up your inbox, making it extremely difficult to keep up with the work you need to focus on. Filtering and clearing out this spam is very time-consuming and attacks often slip through the cracks, creating much larger issues like the one we recently detected here at Abnormal.

Let’s take a deeper look at calendar spam in this real-world example.

Attack Summary

In a recently detected attack, email messages were sent to multiple recipients from various unknown senders using outlook.com. The subject fields of these messages were blank and the body of the email included NSFW links. The goal of this attack was to impact productivity.

• Platform: Microsoft 365

• Targets: Users Utilizing Outlook Calendar Invites

• Payload: Malicious Link

• Technique: Calendar Invite Impersonation

Attack Technique

A calendar invite that included NSFW link was sent from an unknown sender. For M365 tenants, no .ics file or any other attachment was linked within the calendar invite, which made it unclear that this was a calendar invite. However, Google Workspace tenant recipients of this spam message were better able to help Abnormal identify this type of attack as a calendar invite bomb campaign.

Spam Calendar Invite with .ics Attachment

For O365 customers there was no .ics or any other attachment linked within the calendar invite.

Spam Calendar Event

Thanks to a report from a GSuite customer, we learned this actually was a calendar invite, since O365 generates calendar invitations from Outlook and sends them directly to Outlook without any attachments.

Abnormal’s Response

Abnormal actively invested in identifying these messages as calendar invites which helped our detection stack detect future meeting invites from unknown senders from email hosting domains containing young domain links. The following features were added to catch similar messages from entering the customer’s environment.

1. The first feature was aimed at rapidly containing the spam campaign while still catching most of the newer variants. Signals such as adult vocabulary, sender frequency, frequency of the sender domain to the domain seen in the message body, empty subject line, and the sender being from a free email service.

2. Longer term, the second feature is aimed at the purpose of detecting future variants and is independent of any text-based signals. This feature uses signals such as the sender being from a free email service, limited body text, number of recipients per message, and domain age.

3. We also extended email parsing capabilities to more accurately identify Outlook calendar invites within O365 environments. This allows us to detect calendar invite-type emails with very high precision and recall, which will ultimately improve our detection stack.

Customer Impact

Abnormal customers impacted by this attack were mainly in the financial, manufacturing, and media industries. As spammers become more sophisticated across cloud services, Abnormal is addressing new attacks quickly. Within one week, Abnormal updated its detection model to remediate the emails from existing campaigns and prevent similar future campaigns. In the six days since implementing this update, more than 100 similar campaigns have been flagged and remediated out of customer inboxes.

Want to enjoy a similar peace of mind? Schedule a demo to learn more about how Abnormal can detect and remediate spam calendar invites from your organizations' inboxes today.