
Calendar-Invite Phishing: The Lure That Lands in Your Diary
Most people have learned to eye their inbox with a little suspicion. Their calendar is another matter. A meeting invite feels like an appointment, something to be actioned rather than interrogated, and attackers have noticed. Calendar-invite phishing plants the lure directly in your diary, often before you have opened a single email, and trades on the quiet trust we place in our own schedule.
It is a small shift in delivery with an outsized effect, because it sidesteps the wariness people reserve for the inbox and lands on a surface they rarely question.
At a glance: an attacker sends a meeting invitation that automatically adds itself to the target’s calendar. It looks like an ordinary event, complete with a link to join or to review a document. The link leads to a fake login page or a malicious download, and the compromise follows. The defence is to strip away the automatic trust: control auto-added invites, and treat an unexpected calendar link exactly like an unexpected email link.
Why the calendar is such an effective surface
Three things make it work. First, on many default configurations an invitation is added to the calendar automatically, so it appears whether or not the recipient accepts, and sometimes without the covering email being read at all. Second, a diary entry carries an air of legitimacy: it looks like something a colleague or system set up, not something a stranger sent. Third, calendars are increasingly cluttered and quickly skimmed, so a plausible-looking event with a familiar title slips through with little scrutiny.
Put those together and you have a message that reaches the target, looks trustworthy, and is unlikely to be examined closely. That is a strong hand for an attacker.
How a calendar-invite phishing attack works

The sequence is simple. An invitation arrives and appears in the calendar, frequently with a reminder that nudges the recipient at just the right moment. The event looks routine: a review meeting, a shared document, a voicemail notification, or an urgent one-to-one. It carries a link to join the call or open the file. That link leads to a convincing fake sign-in page or to a download that drops malware. From there the attacker has what they came for, whether that is credentials, a session token, or a foothold on the device.
Some variants lean on urgency, scheduling the fake meeting for a few minutes away so the recipient clicks in a hurry. Others impersonate well-known platforms so the join button feels entirely normal.
The warning signs worth sharing
- An event you do not remember accepting, especially one that appeared on its own.
- An organiser you do not recognise, or a familiar name paired with an unfamiliar address.
- A join or review link that asks you to log in again, particularly for a service you are already signed into.
- Pressure baked into the timing, such as a meeting set to start almost immediately.
How to shut it down
Change the default that auto-adds invites
Where your platform allows it, stop invitations from unknown senders being added to calendars automatically, or set them to appear only tentatively until accepted. Removing the automatic foothold is the single most effective step.
Treat calendar links like email links
Teach staff that a link inside an invite deserves the same caution as one in an email: check the address before clicking, and never re-enter credentials on a page reached this way. If a meeting is genuine, it can be reached through the real application.
Strengthen the accounts behind the calendar
Because the payoff is usually stolen credentials, phishing-resistant MFA such as passkeys blunts the attack even if someone clicks, since there is no reusable secret to capture on the fake page.
Make reporting easy and rehearse it
Give people a simple way to report a suspicious message, invite or otherwise, and include calendar-based lures in your realistic simulations so the tactic feels familiar when it appears for real.
The bottom line
Calendar-invite phishing succeeds by borrowing the trust we place in our own diary and dodging the scrutiny we save for email. The remedy is to remove that unearned trust: control what can add itself to a calendar, treat every unexpected invite link with the same suspicion as an email link, and back it up with phishing-resistant authentication so a stray click does not become a breach. A diary entry is a claim on your attention, not proof that it is safe.
Phishing Tackle offers the tools businesses need to strengthen their human risk strategies, with multi-platform testing, real-time behavioural insights, and actionable data to keep your organisation ahead of modern cyber threats.
Contact us today to learn how Phishing Tackle can help safeguard your organisation from the growing array of cyber risks.
