A New Form of Phishing

Email is an essential part of daily life for most of us, no matter our industry or profession. Still, like the rest of the Internet, it comes with inherent risks we should all be aware of.

Phishing, or hacking by email, can occur when we receive an email with a malicious link or attachment. If we click on that link or download that attachment, our computer can be hacked. In some cases, the hacker might take us to a fake site and ask for our username, our password, or any other valuable information that can compromise us and our accounts.

On the surface, this seems easy enough to overcome. Just don’t click the links and don’t download the attachments, right? Right, but unfortunately, hackers can be devious.

Phishing emails can be disguised. Hackers can make the emails look like they came from someone you know. They can make the emails match the emails you’re used to. They can use information from Google and Facebook and other sites to customize the emails just for you. These are only a few of the thousands of ways they can go phishing for you.

And one of these ways is slipping right under our noses and straight into our calendars.

Calendar Invites, an Invisible Lure

If you have ever received an email inviting you to a call or a meeting, you will recognize this pattern. An email shows up in your inbox with a date, a name, and maybe a link to Zoom. You can accept this invitation or you can decline it, or you can just forget about it. Forgetting about it is by far the easiest, as you will still receive a notification reminding you about the meeting some time before it occurs.

This is because, by default, most email programs automatically add calendar invites into your calendar. In desktop Outlook, you can even delete the email with the invite and that meeting will still be in your calendar. The only way to ensure the invite is not scheduled is by manually declining the invite.

Caught on the Hook

In most cases, this might be convenient. You got an invite to meet with your boss on Tuesday, but the invite got lost in the hundred other emails you were sent today. Five minutes before your meeting, a notification pops on your screen because thankfully, Outlook did not forget and has scheduled your meeting for you.

But what if the email was a phishing attack? What if you receive an invite for a meeting set in two weeks, but it’s actually from a hacker?

It’s okay, though. You’re smart and you recognized that email as a phishing attack, so you deleted it right away. You didn’t click anything in it. In fact, you hardly paid attention to when that meeting was scheduled because you knew it wasn’t real.

Now, 2 weeks later, you are in the middle of a very busy day. A half dozen notifications have been popping up on your screen since you clocked in. Another dings. In a rush, you open your calendar and click the link to join the email. Congratulations. You’ve been hacked.

The Problem with Outlook Calendar

This isn’t the only way a hacker can use your Outlook calendar against you. A hacker might want to make your life miserable by sending you hundreds of calendar invites on different dates now and in the future. You have these popping up as reminders constantly, disturbing your workday and costing you time as you manually delete them one by one from your calendar.

Even worse, a hacker could pick up the phone right now and call you saying, “I’m with Microsoft and we know you got a stream of invites. We can help you delete them… just go to this site so we can remote in.” You’re now hacked.

Outlook on desktop will automatically add every invite you receive into your calendar. Most email programs allow you to disable this feature. Desktop Outlook does not. Seeing as how Outlook is one of the most widely used email clients for business, this kind of phishing attack is all the more dangerous.

Avoiding the Bait

I said before that you have the option to decline invites. But should you? This is like opening Pandora’s box. Asking anyone to interact in any way with a malicious email is a recipe for disaster.

So what can you do? If you aren’t using Outlook as your email client, find out how to disable this feature and do it right away. If you are using Outlook or if you don’t want to disable this feature, treat each calendar invite the same way you would treat any other email: compare the Organizer Name to the Organizer’s Email Address to ensure they match, hover over all links to know where they are truly taking you, and do not download any attachments you weren’t expecting or which seem out of the ordinary.

Maybe one day Microsoft will fix this.

About the Author

Kaushal Kothari, certified ethical hacker and former FDIC IT Examination Analyst, is President of Secure Guard Consulting, a premier cybersecurity and IT audit company. Mr. Kothari is also the founder of the Certified Social Engineer® (C|SE®) certification program and creator of cyberescaperooms.com where security awareness training is made fun by using virtual cyber escape rooms.