Dangerous Design Flaw in Outlook Calendar Hackers Can Easily Exploit (Event Injection Vulnerability)
“Most email programs automatically add calendar invites emailed to you into your calendar, whether you accept or not; Outlook adds them even if you delete the emailed invitation. This presents a dangerous phishing risk.”
A Dangerous New Phishing Attack
Email is an essential part of daily life for most of us, no matter our industry or profession. Still, like the rest of the Internet, it comes with inherent risks we should all be aware of.
Phishing, or hacking by email, is where clicking a link or downloading an attachment in an email can allow a hacker to take control of your computer or take you to a fake page to try to obtain usernames and passwords to your different accounts.
Calendar Invites Contain Links and Attachments Too
Links and attachments in a calendar invite behave the same as in emails. The same dangerous link or malicious attachment in an email will have the same effect when clicked or downloaded from within a calendar invite.
Calendar Invites Are Automatically Added to Your Calendar
By default, most email programs automatically add calendar invites emailed to you into your calendar, whether you accept or decline them.
In desktop Outlook, even if you delete the emailed calendar invite, the meeting still appears in your calendar. In fact, the only way to ensure the invite is not scheduled is by manually declining the invite.
Caught on the Hook
Imagine, a hacker sends you a malicious meeting request for some date and time 2 weeks from now. You are smart and recognize the email as malicious and do the right thing, delete the email. And since it was malicious, you didn’t interact with the email. In fact, you didn’t even look at it to see when that meeting was scheduled.
Now, 2 weeks later, you are in the middle of a very busy day. A half dozen notifications have been popping up on your screen since you logged in. Another notification comes in — it’s the malicious invite. In a rush, you open your calendar and click the link to join the email. Congratulations. You’ve been hacked.
This isn’t the only way a hacker can use your Outlook calendar against you. A hacker might want to make your life miserable by sending you hundreds of calendar invites on different dates now and in the future. You have these popping up as reminders constantly, disturbing your workday and costing you time as you manually delete them one by one from your calendar.
Even worse, a hacker could pick up the phone right now and call you saying, “I’m with Microsoft and we know you got a stream of invites. We can help you delete them… just go to this site so we can remote in.” You’re now hacked.
There are endless possibilities.
Avoiding the Bait
I said before that you have the option to decline invites. But should you?
It’s like opening Pandora’s box. Asking anyone to interact in any way with a malicious email is a recipe for disaster.
There’s a Way to Disable This Right?
Right, for most email programs. Google for example provides you with a way to disable the feature to automatically add meeting requests to your calendar.
Wrong, if you’re on desktop Outlook where there is no way to disable this. And since desktop Outlook is one of the most widely used email clients for businesses, the impact could be huge.
What Can I Do?
So, what can you do? If you aren’t using Outlook as your email client, find out how to disable this feature and do it right away.
If you are using Outlook or if you don’t want to disable this feature, treat each calendar invite the same way you would treat any other email: compare the Organizer Name to the Organizer’s Email Address to ensure they match, hover over all links to know where they are truly taking you, and do not download any attachments you weren’t expecting or which seem out of the ordinary.
Maybe one day Microsoft will fix this.
~Kaushal Kothari, President, Secure Guard Consulting
About the Author
Kaushal Kothari, a certified ethical hacker and former FDIC IT Examination Analyst, is President of Secure Guard Consulting, a premier cybersecurity and IT audit company. Mr. Kothari is also the founder of the Certified Social Engineer® (C|SE®) certification program and creator of cyberescaperooms.com where security awareness training is made fun by using virtual cyber escape rooms.
For more information on phishing attacks and how to avoid them, visit blog.secureguardconsulting.com.
Contact me by email at firstname.lastname@example.org or phone at 515–229–5674.