But attackers are always looking for a less obvious way in.
According to recent research from KnowBe4 Threat Lab, cybercriminals are increasingly using calendar invitations as a phishing tactic. Instead of relying only on traditional email messages, attackers are sending malicious meeting invites that can appear directly on a user’s calendar, creating a new layer of risk for businesses that rely heavily on Microsoft 365, Google Workspace, Teams, Zoom, and other collaboration tools.
Calendar invitations feel different from regular email.
When a meeting invite pops up on your calendar, phone, or desktop, it often feels more legitimate. Employees are used to seeing alerts from Microsoft Teams, Zoom, Google Meet, or internal scheduling tools throughout the day. Because of that, they may not stop and question the invite the same way they would with a suspicious email.
That trust is exactly what attackers are trying to exploit.
Some calendar phishing attacks use .ics calendar files that may not be inspected as closely by traditional email security tools. In certain environments, invitations may even be added to a calendar automatically, meaning the employee may see the event notification later without realizing it started as a suspicious message.
This is an image of an actual invite one of our clients received. Calendar invite phishing can take several forms. Some of the most common examples include:
Fake payment or subscription alerts
An employee receives a calendar invite that looks like a billing notice, subscription renewal, or payment confirmation. The invite may include a phone number to call if the charge is “incorrect.” This is often an attempt to move the employee into a phone-based scam, also known as vishing.
Fake Zoom or Teams meeting updates
The invite may look like a normal meeting notification, but the link sends the user to a fake page claiming they need to update Zoom, Teams, or another meeting tool. In some cases, that “update” can install remote access software or malware.
Credential theft pages
Some invites include links to fake login pages for Microsoft 365, Google, Zoom, or other common workplace platforms. The page may look convincing enough that an employee enters their username and password without realizing they are handing credentials directly to an attacker.
Internal impersonation
In more targeted attacks, criminals may try to make the calendar invite look like it came from someone inside the company. They may use compromised accounts, lookalike domains, or event details that mimic internal language to make the request seem routine.
Calendar phishing is dangerous because it does not always feel like phishing.
Employees may be more likely to trust a meeting reminder than a strange email. They may click quickly because they think they are late for a meeting. They may see a familiar platform logo and assume it is safe. They may call a fake support number because the invite looks like a billing issue that needs immediate attention. That combination of trust, urgency, and familiarity makes calendar-based attacks especially effective.
For businesses, the consequences can include stolen Microsoft 365 credentials, unauthorized access to company files, fraudulent payments, malware installation, and compromised accounts being used to target more employees or clients.
Businesses should not rely on employee awareness alone. Calendar phishing requires a mix of technical controls, security training, and ongoing testing.
A few practical steps include:
Phishing is no longer limited to obvious scam emails. Today’s attacks show up through calendar invites, fake meeting links, QR codes, text messages, collaboration tools, and phone calls. That means security awareness training needs to be practical, ongoing, and based on real-world tactics employees are likely to encounter. Cloud Cover provides phishing testing and security awareness training to help businesses understand where their users are most vulnerable and how to improve over time. Our phishing simulations are designed to educate employees without shaming them, giving your team a safer way to learn what modern attacks look like before a real one lands in their inbox or calendar.
Learn more about our phish testing services here: Phish Testing & Training for Your Business
Calendar invite phishing is a good reminder that attackers do not need to break through the front door if they can find a side entrance people trust. Your calendar, meeting apps, and collaboration tools are now part of your security perimeter. If your team is trained only to spot suspicious emails, they may miss the threats hiding in everyday business tools. The best defense is a layered approach: strong Microsoft 365 security settings, modern email protection, MFA, user training, and regular phishing tests that reflect how attackers are actually operating today.
Need help testing and training your team? Cloud Cover can help you identify gaps, educate users, and reduce the risk of phishing attacks before they turn into costly security incidents.
Schedule a phishing test for your business