Your employees receive dozens of Microsoft Teams and Google Calendar meeting invites every week. They click "Accept" without hesitation—after all, it's just a calendar invite from a colleague, right?

That assumption is exactly what attackers are exploiting.

In December 2024, Check Point researchers uncovered an active phishing campaign that targeted 300+ organizations with over 4,000 phishing emails in just four weeks—all delivered through spoofed Google Calendar invites.^[1] The attacks bypassed email security filters entirely because the messages came from legitimate Google Calendar services.

This isn't an isolated incident. Microsoft has been tracking a Russian-linked threat actor called Storm-2372 that has been using fake Teams meeting invitations since August 2024 to target government agencies, NGOs, defense contractors, and critical infrastructure across Europe, North America, Africa, and the Middle East.^[2]

Why Calendar Invites Are the Perfect Attack Vector

Traditional phishing simulations focus on email. But attackers have evolved. Calendar invites offer several advantages that make them more dangerous:

1. Bypass Email Security Filters

The Check Point researchers found that calendar-based phishing emails passed DKIM, SPF, and DMARC email security checks because they originated from legitimate Google services.^[1] Most secure email gateways (SEGs) analyze email content, not calendar attachments—creating a massive blind spot.

2. Implicit Trust

As Darktrace researchers noted, "as a primarily internal tool there is naturally less training and security awareness around Teams – due to the nature of the channel it is assumed to be a trusted source."^[5] Calendar invites appear in a separate context from email, showing up in Outlook's calendar view, Teams notifications, and mobile alerts—channels users don't associate with phishing.

3. Persistence After Reporting

Security researchers at Hoxhunt identified a critical gap: even after a user reports a phishing email, the calendar event often remains on their calendar.^[6] This gives attackers a second chance—days later, the user might click the event thinking "what was this meeting again?"

The Attack Chain: How Storm-2372 Does It

Microsoft's threat intelligence team has documented exactly how the Russian-linked Storm-2372 group executes these attacks:^[2]

See It In Action

Understanding this attack theoretically isn't enough. Your security team needs to experience it firsthand. Below is a live demonstration of a Teams phishing simulation—the same methodology used by threat actors targeting enterprise organizations.

Interactive Demo

Teams Meeting Phishing Simulation

Experience how attackers exploit Teams calendar invites. This is a safe demonstration environment.

Launch Full Demo

This is a controlled demonstration for security awareness purposes. No actual data is collected. The techniques shown mirror real-world attack patterns documented by Microsoft and Check Point.

The Google Calendar Campaign (December 2024)

The Check Point researchers documented a sophisticated campaign targeting banks, healthcare services, educational institutions, and construction firms:^[1]

Attack method: Criminals modified sender email headers so messages appeared to be legitimate Google Calendar invites sent from someone the victim knows. The emails included .ics calendar files with links to Google Forms or Google Drawings.

The trap: After clicking the initial link, victims were prompted to click another link disguised as a reCAPTCHA or support button. This redirected them to fake cryptocurrency/Bitcoin support pages designed to harvest credentials and payment information.

Why it worked: Google Calendar has over 500 million users across 41 languages.^[1] The invites passed all standard email authentication checks because they genuinely originated from Google's infrastructure.

Google's response: "We recommend users enable the 'known senders' setting in Google Calendar. This setting helps defend against this type of phishing by alerting the user when they receive an invitation from someone not in their contact list."^[1]

Why Traditional Phishing Training Falls Short

Most security awareness programs focus on email-based phishing. But as Netskope's 2024 research shows, phishing click rates nearly tripled compared to 2023—despite ongoing training investments.^[4]

The researchers attributed this to "cognitive fatigue" and attackers becoming "more creative in delivering harder-to-detect phishing lures." Calendar invites represent exactly this evolution—they exploit channels where employees haven't been trained to be suspicious.

According to KnowBe4's 2024 benchmarking study of 11.9 million users across 57,000 organizations, 34.3% of untrained employees will fail a phishing test.^[3] After one year of training, that drops to 4.6%—but only if organizations are testing the right vectors.

What Your Organization Should Do

Block Device Code Flow Where Possible

Microsoft explicitly recommends blocking device code authentication flow wherever it's not required, as this is the primary technique Storm-2372 uses to capture tokens.^[2]

Enable "Known Senders" Settings

Both Google and Microsoft offer settings to alert users when receiving invites from unknown contacts. Google Calendar's "known senders" feature and Microsoft's external sender warnings should be enabled organization-wide.

Expand Phishing Simulations

Include calendar invite attacks in your regular testing cadence. Measure click rates and credential submission rates for calendar-based attacks separately from email campaigns.

Implement Out-of-Band Verification

Establish verification protocols for sensitive requests. A callback to a known number (not one provided in the request) or confirmation via a separate channel should be mandatory for wire transfers, credential changes, or data sharing.

Monitor Calendar Activity

Configure alerts for external calendar invites to executives and finance teams. Flag invites with links to non-corporate domains or newly registered domains.