CalPhishing Campaign: Hijacking M365 via Outlook Calendar Invites

In the rapidly shifting landscape of enterprise security, the traditional email inbox has long been the primary battleground for social engineering defense. However, as Secure Email Gateways (SEGs) and automated filtering systems become increasingly adept at identifying malicious links and suspicious attachments, threat actors have pivoted to a more intimate and less-scrutinized workspace: the employee calendar. A high-priority alert issued on May 15, 2026, by Fortra Intelligence and Research Experts (FIRE) has cast a spotlight on this evolution, detailing a sophisticated CalPhishing campaign that leverages architectural loopholes in Microsoft Outlook to hijack corporate environments.

The Rise of the CalPhishing Campaign: Hijacking the Schedule

The CalPhishing campaign represents a significant departure from standard phishing tactics. While traditional attacks rely on the user opening a message in their inbox, CalPhishing utilizes the iCalendar (.ics) file format to bypass the initial point of interaction entirely. When an attacker sends a specially crafted .ics file, the Microsoft Outlook client—governed by default configurations—automatically processes the artifact and inserts a “tentative” meeting entry onto the victim’s schedule.

This automated processing is the “silent killer” of the attack chain. Because the meeting is added without the user’s explicit consent or interaction, it remains active even if the delivery email is flagged as junk or deleted by automated security tools. Consequently, the victim receives legitimate system-level notifications and reminders on their desktop and mobile devices. These notifications carry the inherent trust of the operating system and the productivity suite, making the subsequent social engineering lures far more effective than a standalone email.

Technical Mechanics of the .ics Exploitation

At its core, the CalPhishing campaign exploits the way modern productivity suites prioritize collaboration over strict security boundaries for meeting requests. The iCalendar format is essentially structured text, which the FIRE researchers noted is often bypassed by security scanners that are primarily focused on executable binaries, macro-enabled documents, or known malicious URLs within the email body.

The attackers abuse specific fields within the .ics structure to maximize the efficacy of the phish:

• SUMMARY: Used to generate a sense of immediate crisis, such as “Urgent: Domain Renewal Failure.”
• DESCRIPTION: Contains the primary social engineering payload, often formatted with HTML to look like a legitimate corporate portal.
• LOCATION: Frequently used to host “verification links” or instructions to click an attachment, further mimicking a standard professional meeting request.

Because these entries are decoupled from the delivery email once processed, they create a persistent threat. A standard “soft delete” of the malicious email by an IT administrator does not purge the calendar artifact. Without a specific “hard-delete” action targeted at the calendar store, the meeting remains a ticking time bomb on the user’s schedule.

The EvilTokens Arsenal: Phishing-as-a-Service (PaaS) on the Dark Web

The technical sophistication of the CalPhishing campaign is fueled by the EvilTokens phishing kit. First surfacing in early 2026 on encrypted platforms like Telegram, EvilTokens represents the latest evolution in Phishing-as-a-Service (PaaS). Unlike older kits that focused on simple credential harvesting (stealing usernames and passwords), EvilTokens is designed for token theft and session hijacking.

EvilTokens provides threat actors with a turnkey solution for bypassing modern defenses. The kit includes:

1. AI-Driven Lure Generation: Using large language models to craft grammatically perfect and contextually relevant lures based on the target industry.
2. Cloudflare Evasion Layers: Automated setup of redirects and “Turnstile” challenges to prevent automated security crawlers from analyzing the final phishing destination.
3. Device Code Flow Automation: A specialized module that facilitates the “ConsentFix” technique, handling the backend communication with Microsoft’s authentication APIs.

The availability of such advanced tools has lowered the barrier to entry for cybercriminals, allowing even low-skilled actors to execute high-impact account takeover (ATO) attacks against Fortune 500 companies.

Deep Dive into the ConsentFix Technique

The most dangerous element of the CalPhishing campaign is the use of ConsentFix, a specific implementation of device code phishing. When a victim interacts with the link in the malicious calendar invite, they are not directed to a fake login page designed to steal their password. Instead, they are funneled through a series of redirects to a legitimate Microsoft authentication page (e.g., microsoft.com/devicelogin).

This is where the psychological manipulation reaches its peak. The phishing site provides the user with a code and instructs them to enter it on the Microsoft page. Because the user is interacting with a legitimate Microsoft domain, their suspicion is naturally lowered. ConsentFix abuses the OAuth 2.0 Device Authorization Grant flow, which was originally intended for devices with limited input capabilities, such as smart TVs or IoT devices.

Once the victim enters the code and authenticates with their corporate credentials—including completing any Multi-Factor Authentication (MFA) challenges—the EvilTokens kit captures the resulting access and refresh tokens. The attacker now holds a valid session that allows them to masquerade as the user across the entire Microsoft 365 ecosystem.

Why ConsentFix Bypasses MFA

Traditional MFA (SMS codes, TOTP, or even push notifications) is designed to verify the user’s identity during the initial authentication phase. However, ConsentFix does not attempt to break the authentication phase; it subverts the authorization phase. By tricking the user into authorizing a new “device” (which is actually the attacker’s kit), the attacker obtains a session token that is already authenticated.

To the Microsoft Entra ID (formerly Azure AD) environment, the login looks like a successful, MFA-validated session. This renders traditional defensive layers ineffective, as the attacker never needs the victim’s password and the MFA has already been “satisfied” by the victim themselves during the device code entry.

The Impact of Account Takeover (ATO)

Once a session token is captured via the CalPhishing campaign, the consequences for the target organization are often catastrophic. Possession of a valid M365 session token grants the attacker access to:

• Exchange Online: Accessing sensitive corporate communications and performing lateral phishing attacks from a trusted internal account.
• SharePoint and OneDrive: Exfiltrating proprietary data, financial records, and strategic documents.
• Microsoft Teams: Monitoring internal discussions to identify further high-value targets or project vulnerabilities.
• Global Address List (GAL): Harvesting the names and contact details of every employee in the company to scale the campaign.

Furthermore, because the tokens obtained through EvilTokens often include offline access capabilities, the attacker can maintain persistence even if the user changes their password, provided the session remains valid or the refresh token is not revoked.

Strategic Mitigation and Defense-in-Depth

Defending against the CalPhishing campaign requires a shift from reactive monitoring to proactive configuration hardening. Security teams must address both the delivery vector (the calendar) and the exploitation method (device code flow).

1. Hardening Calendar Configurations

Organizations should review their Microsoft 365 “Calendar” settings to restrict how the system handles external invites. Administrators can disable the automatic processing of meeting requests from external senders or configure the system to only allow invitations from trusted domains. This prevents the “silent” insertion of tentative meetings that triggers the notification chain.

2. Restricting Device Code Authentication

The most effective technical control against ConsentFix is the implementation of Conditional Access policies that restrict the use of the Device Code Flow. In most corporate environments, the device code flow is unnecessary for daily operations. By blocking this specific authentication grant type for the general user population, organizations can effectively neutralize the EvilTokens exploitation path.

3. Modernizing Incident Response

Incident response playbooks must be updated to include calendar artifact remediation. When a phishing email is detected, the remediation workflow should not just delete the email but also perform a tenant-wide search for any associated .ics entries. Automated tools like Microsoft Graph API can be used to programmatically identify and purge these entries from user calendars.

4. Advanced Token Management

Implementing Token Protection (also known as token binding) ensures that tokens are bound to the specific device that requested them. This makes it significantly harder for attackers to use stolen tokens from their own infrastructure. Additionally, reducing the lifespan of access tokens and enforcing strict session revocation policies can limit the window of opportunity for an attacker after a successful CalPhishing campaign interaction.

Conclusion

The CalPhishing campaign is a stark reminder that the perimeter of corporate security is no longer just the network or the inbox—it is the very schedule of the modern employee. By weaponizing the trust inherent in calendar notifications and exploiting the technical nuances of the OAuth device code flow through the EvilTokens kit, threat actors have found a potent bypass for traditional MFA and email security. For CISOs and security practitioners, the mandate is clear: it is time to look beyond the inbox and secure the calendar before the next “tentative” meeting leads to a total environment compromise.