October 1, 2019
What's the issue?
Cybercriminals are exploiting design weaknesses in calendar applications from Apple, Google and Microsoft that allow placing malicious links and files onto a victim's calendar without their knowledge or authorization. If clicked, these links and attachments can lead to ransomware, data breach, and other financial scams.
The attack comes in the form of a calendar invitation to the target victim’s email. A default feature in calendar applications automatically adds the appointment to the victim’s calendar as soon as the email invitation is received. The victim can delete the email invitation, but the appointment will remain on their calendar. These invitations are automatically placed on the calendar as tentative, “greyed out” in some cases, but any links will be active and attachments available to click open. It could be placed days, weeks or months out from when the email was received. When the victim arrives at that day, or is perusing their calendar and comes across it, a natural reaction would be to click on the link or file for details. Deleting the original email from the inbox may be long forgotten.
The criminals are hoping most users will click on these malicious links and/or files because users are more likely to have their guard down with items that are already on their calendar. Pop-up reminders for tentative appointments are active and will be seen, adding to the persuasion to click.
Clicking “Decline” on the invitation is problematic for two reasons. Most email calendar applications send a notification to the sender it was declined, confirming to criminals they are sending to a valid email address. The second problem with clicking is the invitation itself may be fake or altered, and the click on any of the boxes or links may cause infection or compromise.
Reported examples of these calendar invitations are crafted to look like they are from trusted brands like Apple and Samsung, related to a product purchase or repair. Better crafted and targeted ones can look like internal meetings and may even appear to come from an email address the user is familiar with, or directly from someone’s email that has been compromised.
What should I do?
Currently there is no solution or setting that can prevent tentative appointments from being placed on your calendar automatically for these vendors. However, there are a few settings that can minimize your exposure. Microsoft has an option in Outlook under Options > Mail > Tracking > “Automatically process meeting requests and responses to meeting request and polls”, that you should uncheck so that appointments will not automatically show up on your calendar, unless you click on the email invitation. With this option disabled if you see an invite you were not expecting and believe it to be suspicious, by dragging it to your Deleted Items without opening, or by clicking the Trash Can immediately, you can prevent it from hitting your calendar. Microsoft has been asked by the technical community for more than a decade to address the issue, but has stated in the past on forums that it would be a “functional drawback” to allow the user to disable placing calendar invites on a calendar, even if it is from an unknown source. Google has a switch to “only show invitations to which I have responded” which should also help minimize your risk, but researchers report it is relatively easy to bypass through the Google API. In the past few weeks, Google agreed this is an issue and has promised a solution. Apple have yet to address the issue.
If you receive a suspicious or unwanted email invitation, make sure to delete the email in your inbox and the appointment in your calendar, and remember to choose not to notify the sender/organizer when asked.
Here are some other things you can do now to reduce your risk:
- Like regular email SPAM, there are ways to identify some questionable or malicious emails and calendar invites. Ensure you and your staff are trained to recognize suspicious communication traits like unknown senders and unexpected invitations.
- Use a strong, reputable brand of anti-virus.
- Use professionally configured and managed corporate and personal endpoint firewalls.
- Consider employing an email scanner that catches toxic links and attachments.
- Ensure all your devices’ BIOS, operating system, Office Suite, web browser and other applications are fully patched and up to date.
Note to NPC Clients:
Your NPC system includes a strong anti-virus suite, is fully patched, and has a properly configured and enabled firewall to protect you from malicious links and files. You should, nonetheless, always avoid clicking on unknown links and files as an additional layer of defense.
NPC will continue to monitor this threat vector and advise any developments. We will update this alert if/when a technical resolution is available.