Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
It might look like a simple calendar invite, but these innocuous text files can hide a multitude of threats – here’s how.
Calendar invites are one of the most common things we see in our email inboxes. They’re from colleagues for meeting requests, invites from clients or partners to attend an event, or even just a reminder that an office pub lunch is coming up.
But as common as they are, they are sadly far from innocent, and hackers are increasingly turning to the popular iCalendar invite format to deploy all manner of malware or engage in phishing campaigns.
The issue, according to a new blog post from Rapid7, is the simplicity of the .ics format. This text-based format is designed to work seamlessly across Outlook, Google Calendar, and Apple platforms – and many more besides.
“Each invite contains a structured list of fields like SUMMARY, LOCATION, DESCRIPTION, and ATTACH. Within these, attackers have found an opportunity: they can embed URLs, malicious redirects, or even base64-encoded content,” Rapid7 Labs said.
“The result is a file that appears completely legitimate to a calendar client, yet quietly delivers the attacker’s message, link, or payload.”
These plain text files can easily slip past the usual security controls, and .ics files aren’t treated as seriously as some other file formats. In addition, their ubiquity makes them oddly trusted – we all get them, all the time.
The .ics attack chain
Many attackers abusing this technique often rely upon layers of social engineering techniques. They use a professional-looking name and other details, often spoofed from a legitimate organisation, and can rely upon creating a sense of urgency, with calls to action such as “Your access expires in 15 minutes – join now”.
The automation of the format also helps, with external invites automatically added to a user’s daily schedule.
Links inside the LOCATION or DESCRIPTION fields are also easily manipulated to point to document-sharing sites or fake login pages.
“The real danger of malicious calendar invites isn’t just the link inside, it’s the automatic delivery mechanism. In certain configurations, Outlook and Google Calendar will automatically process .ics attachments and create tentative events, even if the user never opens or even receives the email,” Rapid7 said.
“That means the malicious link is now part of the user’s trusted interface with their calendar.”
Even if the initial email might look suspicious, the calendar reminder that pops up later will seem like just a part of the daily work schedule. As Rapid7 said, “It’s phishing that moves in quietly and waits.”
What can you do?
Attacks that abuse the .ics format are becoming more common, so here are some practical steps that can keep the hackers at bay:
“The next time an unexpected meeting appears in your calendar, it might be more than just a double-booking,” Rapid7 said.
“It could be a reminder that security isn’t only about blocking malware, but about questioning what we assume to be safe.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
