The Rise in Spam Calendar Invites Clogging Recipient Inboxes

As spammers become more sophisticated across cloud services, Abnormal is addressing new attacks including this recent malicious calendar invite.
December 27, 2022

Most of us are no stranger to calendar spam. This occurs when random invitations and appointments appear on your calendar, even if you’ve never opened or accepted them. Attackers can embed malicious software within these seemingly typical calendar invites making them challenging to detect and infinitely more dangerous once they gain access to your email account.

In addition, calendar spam clogs up your inbox, making it extremely difficult to keep up with the work you need to focus on. Filtering and clearing out this spam is very time-consuming and attacks often slip through the cracks, creating much larger issues like the one we recently detected here at Abnormal.

Let’s take a deeper look at calendar spam in this real-world example.

Attack Summary

In a recently detected attack, email messages were sent to multiple recipients from various unknown senders using outlook.com. The subject fields of these messages were blank and the body of the email included NSFW links. The goal of this attack was to impact productivity.

  • Platform: Microsoft 365

  • Targets: Users Utilizing Outlook Calendar Invites

  • Payload: Malicious Link

  • Technique: Calendar Invite Impersonation

Attack Technique

A calendar invite that included NSFW link was sent from an unknown sender. For M365 tenants, no .ics file or any other attachment was linked within the calendar invite, which made it unclear that this was a calendar invite. However, Google Workspace tenant recipients of this spam message were better able to help Abnormal identify this type of attack as a calendar invite bomb campaign.

Spam Calendar Invite with .ics Attachment

For O365 customers there was no .ics or any other attachment linked within the calendar invite.

Spam calendar invite

Spam Calendar Event

Thanks to a report from a GSuite customer, we learned this actually was a calendar invite, since O365 generates calendar invitations from Outlook and sends them directly to Outlook without any attachments.

Spam Calendar Blur

Abnormal’s Response

Abnormal actively invested in identifying these messages as calendar invites which helped our detection stack detect future meeting invites from unknown senders from email hosting domains containing young domain links. The following features were added to catch similar messages from entering the customer’s environment.

  1. The first feature was aimed at rapidly containing the spam campaign while still catching most of the newer variants. Signals such as adult vocabulary, sender frequency, frequency of the sender domain to the domain seen in the message body, empty subject line, and the sender being from a free email service.

  2. Longer term, the second feature is aimed at the purpose of detecting future variants and is independent of any text-based signals. This feature uses signals such as the sender being from a free email service, limited body text, number of recipients per message, and domain age.

  3. We also extended email parsing capabilities to more accurately identify Outlook calendar invites within O365 environments. This allows us to detect calendar invite-type emails with very high precision and recall, which will ultimately improve our detection stack.

Customer Impact

Abnormal customers impacted by this attack were mainly in the financial, manufacturing, and media industries. As spammers become more sophisticated across cloud services, Abnormal is addressing new attacks quickly. Within one week, Abnormal updated its detection model to remediate the emails from existing campaigns and prevent similar future campaigns. In the six days since implementing this update, more than 100 similar campaigns have been flagged and remediated out of customer inboxes.

Want to enjoy a similar peace of mind? Schedule a demo to learn more about how Abnormal can detect and remediate spam calendar invites from your organizations' inboxes today.

The Rise in Spam Calendar Invites Clogging Recipient Inboxes

See Abnormal in Action

Schedule a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

 

See the Abnormal Solution to the Email Security Problem

Protect your organization from the full spectrum of email attacks with Abnormal.

See a Demo
 
Integrates Insights Reporting 09 08 22

Related Posts

B 1500x1500 Knowledge Base People Base L1 R1
Discover how Abnormal uses contextual, behavioral data to uncover anomalous activity across logins and devices with PeopleBase.
Read More
ABN B 12 2 22 Expanding our partnership L1 R2
Our partnership with Microsoft has created plenty of opportunities to celebrate. Here are some of the especially exciting moments from 2022.
Read More
B 1500x1500 5 key takeaways L1 R1
Ed Amoroso discusses the biggest security risks with cloud email and how to prevent them.
Read More
B Threat Intel Phishing Attacks HR Policies
Threat actors are capitalizing on the new year, posing as human resources officials to send credential phishing attacks.
Read More
ESG Blog
ESG’s technical validation proves the risk reduction capabilities of Abnormal Cloud Email Security.
Read More
CFO Cover
Industry-leading CFO Sam Wolff discusses spending on security technology in the current macroeconomic conditions.
Read More