Calendar Invite Scams

What Is Calendar Invite Scams?

Calendar invite phishing has emerged as a high-yield channel for credential harvesting because it sidesteps two of the controls users assume protect them. The first is the email security gateway: many calendar protocols deliver invites over a separate channel that the gateway never inspects, so any malicious join URL inside the invite arrives unscanned. The second is human caution: an event sitting on your calendar feels pre-vetted, especially when corporate auto-accept policy puts external invites on the day automatically without ever asking you to look at the sender. Attackers exploit both gaps with a polished ICS file from a one-letter lookalike of a real vendor domain, a tight last-minute reminder timed to short-circuit verification, and a join link that lands on a credential-harvesting page styled to look like a legitimate meeting platform. The single most reliable defense is procedural rather than perceptual: read the actual organizer email address rather than the display name, inspect the join URL against the real meeting platform domains (zoom.us, teams.microsoft.com, or your own corporate platform), and confirm the meeting out of band on a number you already trust before clicking Join. In this simulation, you are Alice, a Vendor Compliance Analyst at CypherPeak Technologies. A Q1 Vendor Compliance Review from a familiar partner appears on your calendar via auto-accept, with a five-minute reminder and a join link that points to an unfamiliar meeting domain over HTTP. You will inspect the organizer address, spot the lookalike domain, place an out-of-band callback to your real vendor contact, delete the hostile event, sign in to the security portal to file a structured incident report, review the SOC team's confirmation and detection briefing, and walk through the verification habits the rest of your team needs to adopt. The exercise demonstrates why a recognizable display name proves nothing about the sender, why any meeting platform that asks for your corporate password is a credential harvest rather than a meeting, and why filing a fast report on a near-miss is what turns a single rejected invite into a company-wide block at the email gateway and DNS resolver.

What You'll Learn in Calendar Invite Scams

• Recognize how calendar auto-accept policies bypass the email security gateway by delivering invites over a protocol the gateway does not inspect
• Read the actual organizer email address rather than the display name to spot one-letter or different-TLD lookalikes of real vendor domains
• Inspect the join URL on every invite and refuse to enter credentials on any domain that is not a known meeting platform (zoom.us, teams.microsoft.com, or your own corporate platform)
• Treat tight last-minute timing and demands for immediate join as social engineering pressure designed to short-circuit verification
• Verify suspicious meeting invites out of band on a phone number, chat, or directory entry that was authenticated before the suspicious request arrived - never the contact info inside the invite
• Delete confirmed-hostile calendar events so the join link cannot be clicked by mistake later, and so the SOC team has a clean state to work from
• File a structured incident report capturing the spoofed organizer address, the fake join URL, and the detection narrative so the SOC can block at the email gateway and DNS resolver and hunt for parallel attempts

Calendar Invite Scams — Training Steps

1. A Quiet Tuesday At Home

   It is a quiet Tuesday morning. Alice is finishing her vendor scorecards from her home office desk. Her usual quarterly compliance partner, Halcyon Insurance Group, isn't due for a review until April - so the day feels routine.

2. An Unexpected Reminder

   A meeting reminder slides up from the system tray: Q1 Vendor Compliance Review - starts in 5 minutes . Hosted by someone called Marco Reyes at Halcyon Insurance Group. Alice never accepted this invite - it was added to her calendar automatically by corporate policy.

3. Inspect The Meeting

   The Q1 Vendor Compliance Review is right there on today's agenda, marked External and Auto-accepted . The Join meeting button is one click away.

4. Pause Before The Click

   The clock is at 2:27. The reminder says the meeting starts in three minutes. Alice's instinct is to click Join meeting - the calendar already accepted it, the organizer name matches a real partner, and the request looks routine. But a calendar entry is not the same as a verified invitation. Before clicking Join, what is the safest move?

5. Read The Address And The Link

   Alice slows down and reads the parts of the invite she usually skips - the organizer email and the join URL. Display names are decoration. The address is the truth.

6. Verify With The Vendor

   Alice picks up her phone and calls Sarah Donovan, her usual contact at Halcyon, on the extension she has had saved for two years. Not the number on the invite. Not the email. A channel that was authenticated before any of this started.

7. Confirmed: A Calendar Phishing Attempt

   Sarah confirms what Alice already suspected. There is no Marco Reyes at Halcyon. There is no Q1 review scheduled. The invite is hostile and the join link is a credential harvest dressed up as a meeting platform. Alice removes the meeting from her calendar so she cannot click it by mistake later, and so the SOC team has a clean state to work from.

8. Open The Security Portal

   Removing the invite stops Alice from joining. It does not stop the attacker from trying the same trick on the rest of the company. The next step is to file a report so SOC can block the spoofed domain at the carrier and warn other staff before anyone clicks Join.

9. Sign In To The Portal

   Alice signs in to the security portal using her stored credentials.

10. File The Incident Report

    Alice files the report with the details SOC needs first: the spoofed organizer address, the suspicious join URL, and a short narrative of what happened and how she caught it.