Malicious Calendar Subscriptions - Silent Vector for Phishing and Malware
Category:Threat Alerts
BitSight research reveals attackers abusing calendar subscription protocols (iCal, CalDAV) to deliver phishing and malware without user interaction. What's clever: calendar applications automatically fetch external .ics files from subscribed URLs without prompting users. Attackers embed malicious links in event descriptions, use calendar invites to establish persistence (events repeat daily, constantly re-prompting), and leverage the trusted nature of calendar notifications. Both Apple Calendar and Google Calendar are vulnerable to this social engineering vector. The attacks bypass email filtering since they arrive through calendar sync protocols. Users see what appear to be legitimate meeting invites with malicious links in location fields or descriptions. The persistence mechanism is particularly effective—recurring events keep re-appearing even if deleted, training users to click through.
CORTEX Protocol Intelligence Assessment
Business Impact: Abuse of calendar subscriptions can expose employees and consumers to large scale phishing, scams, and malware delivery via a channel that bypasses many existing filters and awareness programs, undermining trust in legitimate business and service notifications. Organizations that allow unmanaged calendar subscriptions on corporate devices risk increased credential theft and account takeover incidents, especially among mobile users who quickly act on event reminders.
Strategic Intelligence Guidance
- Educate users about the risks of subscribing to unknown or unsolicited calendars, and provide clear instructions for reviewing and removing calendar subscriptions on major mobile and desktop platforms.
- Use mobile device management and endpoint policies to restrict or at least inventory third party calendar subscriptions on corporate devices, prioritizing high risk groups such as executives and finance staff.
- Advocate with email and productivity suite vendors to extend phishing and URL reputation checks to ICS content and calendar invites, not just traditional email bodies and attachments.
- Include calendar subscription abuse scenarios in phishing simulations and security awareness training so users learn to treat unexpected calendar prompts with the same caution as suspicious emails.
Vendors
Threats
Targets
Intelligence Source: Malicious Calendar Subscriptions - Silent Vector for Phishing and Malware | Nov 29, 2025