Beware malicious Google and Microsoft calendar invites.
SOPA Images/LightRocket via Getty Images
Not all cybersecurity attacks involve unsupported operating systems, vulnerabilities without a patch, or password-stealing malware. Many, it has to be said, come under the remit of social engineering, exploiting human weaknesses alongside a little technical threat tomfoolery. The latest such warning has come from Sublime Security after it “observed a significant influx in phishing attacks” against users of Google Workspace and Microsoft 365 calendars. Here’s what you need to know and do.
A Surge Of Malicious Google And Microsoft Calendar Invites
It has been almost a year since I last reported about the threat surface that is, erm, your calendar. Yet that threat has not gone away, and Google and Microsoft users are now being warned of a surge in attacks that use calendar invites as a method to evade security solutions and deliver their undoubtedly dangerous payloads. A newly published report by Ahry Jeon, a product manager, and Brandon Murphy, a threat detection engineer, both working at Sublime Security, warns that “depending on the settings of the target’s calendar, even if the email message is automatically quarantined by an email security solution, the calendar entry often remains on the target’s calendar.”
An .ics file is a calendar data format used to enable the sharing of events between calendar applications from the likes of Apple, Google, and Microsoft. It is a hugely popular format, not least thanks to the ability to automatically add invites to calendars from Google Workspace and Microsoft 365. In the latter, the security boffins warn, “it will also bring attachments from the email into the invitation.” Obviously, this provides an attacker with a double-whammy threat of the email and the invite to deliver a payload. Double-whammy threat, double the chance of success.
The Sublime report provides a number of examples of this kind of attack, and I recommend reading it yourself to get up to speed with these. The bullet point summary is:
- ICS phishing in the body of a calendar entry
- ICS phishing with a QR code in an attachment
- ICS phishing with attached HTML
I have reached out to both Google and Microsoft regarding the report and the dangers of .ics phishing attacks for advice to users. In the meantime, Sublime offers the following suggestions for securing your calendars: In the Google Workspace Admin Console, go to Apps|Google Workspace|Calendar|Advanced settings and ensure the ‘Add invitations to my calendar’ option is set to ‘Invitations from known senders’ or ‘Invitations users have responded to via email.’ For Microsoft 365, use PowerShell commands to set AutomateProcessing to None and disable the ‘Calendar Attendant’ from automatically processing invites.