MSSP, Email security, Endpoint/Device Security, Network Security

Sublime Delivers Protections Against Calendar Phishing Threats

Attackers are now sending phishing emails disguised as calendar invites to sneak past security filters and stay inside a target’s system longer.

Threat intelligence groups have seen a surge in such phishing incidents that involve calendar invitations or .isc attachments. The idea behind the ICS phishing attacks is that most popular cloud-based services – such as in Microsoft 365, Google Workspace, and Apple iCloud – allow users in their calendar settings to automatically appear on their calendars, even if the user deletes the email or the system’s security software quarantines it.

“The concerning piece is that ICS phishing doubles the chance of attack success by putting both an email in the target’s inbox and a meeting on their calendar,” Josh Kamdjou, co-founder and CEO of AI-driven email security firm Sublime Security, told MSSP Alert. “This gives attackers two payload delivery methods: the email itself and the calendar event. It also creates a security gap, as removal of malicious calendar entries is not a common feature in email security solutions.”

To protect against such attacks, Washington, D.C.-based Sublime Security announced the addition of anti-ICS phishing capabilities to its agentic AI email security platform. The platform can now automatically delete malicious or unwanted calendar events as users remediate the emails they receive. When a message is sent to quarantine, spam, or trash, the Sublime platform will also delete the events from the system’s calendar.

No Single Actor Behind Attacks

“We’ve observed these attacks since the summer, but it has picked up significantly in the last month,” Kamdjou said. “It’s not a new technique, but we’re seeing a huge uptick in abuse of ICS phishing. In terms of why now, it could be that it’s part of phishing-as-a-service kits out there. There’s been a lot of variety, which leads us to believe it’s not a single actor behind some of these campaigns.”

A range of threat intelligence groups have reported on the threat. Check Point in December 2024 wrote about the emerging tactic being used against Google Calendar users, and anti-phishing vendor DuoCircle in March followed up about such ICS phishing incidents involving Google Calendar, with the bad actors sending “fake meeting invitations that redirect the invitees to phishing websites.”

“These invites look exactly like the original Google invites, and even the phishing website is cloned so well that it’s difficult to catch its fakeness,” the company wrote. “Since the counterfeit platforms are flawless, the success rate of these attacks is extremely high; users are entering sensitive details and downloading malicious links without batting their eye.”

Google, Microsoft, Apple Users Targeted

Forbes, noting Sublime’s report, also wrote that “Google and Microsoft users are now being warned of a surge in attacks that use calendar invites as a method to evade security solutions and deliver their undoubtedly dangerous payloads.” Meanwhile, KnowBe4, pointing to a BleepingComputer report, noted in September that “attackers are abusing iCloud Calendar invites to send phishing messages that pose as PayPal notifications. ... Since the messages are sent from Apple’s infrastructure, they’re more likely to bypass security filters.”

“ICS phishing is on the rise, and it presents a unique challenge to email security solutions due to its two-pronged approach,” Sublime’s Kamdjou said. “Because these events land directly in the calendar – bypassing email detection solutions – it shows that attackers are finding clever ways to bypass tools by abusing legitimate email settings and permissions.

Bad Actors Use Multiple Techniques

In their report, Sublime Product Manager Ahry Jeon and Brandon Murphy, threat detection engineer at the vendor, wrote about different methods bad actors are using in ICS phishing campaigns, including one in which they are abusing Free Conference Call services.

“In this attack, the threat actor has included specific instructions in the body of the message for the target to not use the legitimate conference call automatically generated by Free Conference Call and instead call the phone number within the body message,” they wrote. “This is a common technique used to deliver malicious instructions through a trusted service.”

That said, in these cases, an .ics file was automatically attached by Free Conference Call that contained the exact same phishing information, so even if the message is deleted, the attack will continue.

They also outlined phishing incidents that contained either little or no content in the message but did include an attached PDF or HTML file. Both contained invitations that are automatically included in the target’s calendar. If the target opens the attached PDF, they see a QR code that sends them to a credential phishing page.

“If the target launches the HTML file, they are first taken to a fake Microsoft Domain Services splash page,” Jeon and Murphy wrote. “This is the phishing kit in use. It is hosting that page within the target’s /temp directory rather than sending them to a standard phishing site. All of the activity within the page is from JS [JavaScript] code within the HTML file.’

They added that the targets “finally land on a credential phishing page that impersonates a Microsoft-powered GoDaddy login page.”

Common Features in Phishing Messages

The messages tend to have the features in them, from brand impersonation to suspicious attachments to manipulative language, they wrote. Some also include malicious QR codes.

MSSPs and MSPs can play a key role in defending against ICS phishing, but the first step is making sure customers have their calendars secured correctly, something Sublime documented in its report, Kamdjou said.

“From there, most MSSPs and MDRs [managed detection and response providers] are already monitoring a wide range of signals across their customers’ environments,” he said. “The key is ensuring the inbox is one of those signals. If email and calendar activity aren’t included in their visibility or alert pipeline, then these attacks can slip by unnoticed. Getting those signals in front of analysts is critical.”

Also, depending on their service model and response authority, MSSPs can put the right automated remediation controls in place. If they can automatically isolate or remove malicious calendar invites or message artifacts, that significantly reduces the impact window of these attacks, the CEO said.

An In-Depth Guide to Network Security

Get essential knowledge and practical strategies to fortify your network security.
Jeffrey Burt

Jeffrey Burt has been a journalist for almost 40 years, moving from general-circulation newspapers to IT news sites in 2000. He’s an expert analyst and writer on cybersecurity, data center infrastructure, AI, and a host of other subjects for a range of organizations, including CyberRisk Alliance, eWEEK, Techstrong Group, The Next Platform, and The Register.

You can skip this ad in 5 seconds