A sophisticated phishing campaign is currently exploiting a trusted feature that millions of professionals use daily: calendar invitations. Security researchers have identified a dangerous new threat called CalPhishing that leverages Microsoft Outlook calendar invites to steal Microsoft 365 session credentials. This attack method demonstrates how cybercriminals continue to weaponize legitimate business tools to bypass security measures and target unsuspecting users. Organizations worldwide must understand this emerging threat to protect their digital environments effectively.
What Happened
The CalPhishing campaign represents a cunning evolution in social engineering tactics. Attackers are distributing malicious calendar invitations through Outlook that appear to come from legitimate sources within or outside an organization. These calendar invites contain embedded links or attachments that direct recipients to fraudulent login pages designed to harvest Microsoft 365 credentials. The campaign has been linked to the EvilTokens Kit, a sophisticated toolset available on underground forums that enables attackers to create convincing phishing infrastructure with minimal technical knowledge.
What makes this attack particularly effective is its abuse of trust. Calendar invitations typically bypass traditional email security filters because they are considered routine business communications. Recipients often accept these invites without scrutiny, especially when they appear to come from known contacts or legitimate organizations. The attackers craft scenarios such as urgent meeting requests, interview scheduling, or mandatory training sessions that create a sense of immediacy and pressure users to act quickly without proper verification.
How It Works
The CalPhishing attack follows a multi-stage process designed to maximize success rates. First, attackers send calendar invitations to targeted individuals using compromised accounts or spoofed identities. These invitations contain compelling subject lines and meeting descriptions that encourage recipients to click embedded links for additional information or to confirm attendance.
When victims click these links, they are redirected to convincing replica login pages that mimic authentic Microsoft 365 authentication portals. These fraudulent pages utilize advanced techniques such as SSL certificates and familiar branding elements to appear legitimate. Once users enter their credentials, the information is immediately captured by the attackers.
The EvilTokens Kit enhances this process by enabling session token theft. Rather than simply capturing passwords, the toolkit harvests active session tokens, which allow attackers to bypass multi-factor authentication protections. With these tokens, cybercriminals can access victim accounts without triggering additional security alerts, remaining undetected while exfiltrating sensitive data, deploying ransomware, or conducting further attacks within the organization.
What You Should Do
Organizations and individuals must implement multiple layers of defense against CalPhishing attacks. First, enable advanced email and calendar filtering solutions that can detect suspicious invitation patterns and malicious links. Configure security settings to flag external calendar invitations and require additional verification before displaying them to users.
User education remains critical. Train employees to scrutinize unexpected calendar invitations, especially those containing external links or requesting immediate action. Establish protocols for verifying meeting requests through alternative communication channels before clicking any embedded content.
Implement conditional access policies that restrict session token lifetimes and require periodic re-authentication. Deploy endpoint detection and response solutions that can identify abnormal authentication patterns and suspicious account activity. Regularly audit calendar permissions and review third-party application access to Microsoft 365 environments.
Enable comprehensive logging for all calendar activities and authentication events. Monitor for unusual patterns such as multiple failed login attempts, access from unfamiliar locations, or sudden changes in user behavior that might indicate compromised credentials.
The CalPhishing campaign underscores the ongoing need for vigilance in cybersecurity. As attackers continue developing innovative methods to exploit trusted business tools, organizations must maintain adaptive security postures and foster cultures of security awareness. Protecting against these evolving threats requires combining technical controls with informed user behavior.
Stay protected with CyDhaal. Follow us at cydhaal.com for daily updates.
About the Author
