Microsoft 365 Groups and CalPhishing: phishing that hides in routine work
Fortra's Intelligence and Threat Management team reported on June 23, 2026 that attackers are abusing Microsoft 365 collaboration features to make phishing look like ordinary work. The attacker adds you to a Microsoft 365 Group they control, then pushes the lure through the group mailbox, shared files and Outlook calendar invites, so it blends into the tools you already trust and slips past some email filters. The calendar angle, which Fortra calls CalPhishing, is the persistent one: an .ics invite drops the lure straight onto your calendar, where reminders keep bringing it back even after you delete the email. Here is the mechanic, how it differs from generic calendar scams, and how to spot it.
Quick Take: phishing inside Microsoft 365 collaboration tools
CalPhishing is a Microsoft 365 and Outlook attack where the criminal first adds you to an attacker-controlled Microsoft 365 Group, then delivers phishing through the group mailbox, shared files and calendar invites so it looks like a routine work task instead of a suspicious email. Fortra documented the technique on June 23, 2026, and Help Net Security reported it the same day. The hook is trust: a Microsoft 365 Group invite, a shared document, or a meeting on your Outlook calendar all feel like normal collaboration, and because the content arrives through these features rather than a plain inbound email, it can dodge some email filters. The calendar piece is what makes it stick. A malicious .ics invite places an event directly on your calendar, where reminders resurface even after you delete the original message, so over time the event starts to look like an unfinished task you keep meaning to handle. When you finally open it and click the link or the shared file, you land on a fake Microsoft 365 sign-in page that harvests your password and session token. The defense is the same as for any phishing: do not enter credentials from a link inside an invite or shared file, and verify the link before it opens. This is the Microsoft 365 and Outlook Groups version of calendar phishing, not the Google Calendar invoice scam we covered separately.
What Fortra reported
On June 23, 2026, Fortra's Intelligence and Threat Management team published research showing how attackers abuse Outlook Groups and Microsoft 365 collaboration features to make phishing campaigns appear routine. Help Net Security covered the same research that day. Daud Jawad, a security engineer on Fortra's team, is quoted in the reporting. The core idea is that instead of relying on a single phishing email that a filter might catch, the attacker spreads the attack across several trusted Microsoft 365 surfaces so it reads as normal collaboration.
That distribution is also a defender problem in its own right. Fortra warned that these attacks can complicate investigations because the activity is spread between email, Microsoft 365 Groups, shared files and calendar events, so there is no single message to point at when something goes wrong.
How the attack starts: the Microsoft 365 Group
The attack begins when a target is added to, or invited into, a Microsoft 365 Group the attacker controls. That membership is the believable entry point. The group's name, description or welcome message is crafted to create urgency, often using workplace themes such as payroll updates, contract renewals, supplier requests or mandatory training notices. None of that feels like phishing, because group membership and onboarding messages are part of how Microsoft 365 collaboration normally works.
Once you are in the group, the attacker has multiple channels to reach you. According to Fortra, the follow-up content lands through one of three routes: the group mailbox, shared files, or calendar invitations. Each one arrives wrapped in the legitimacy of a Microsoft 365 feature, which is the entire point.
CalPhishing: the Outlook calendar as a persistent lure
CalPhishing, short for calendar phishing, is the part of this campaign that uses Outlook and Microsoft 365 calendar features to deliver lures through meeting invitations and .ics files. An .ics file is the standard calendar-invite format, and it can place an event directly onto a victim's calendar. That single capability is what makes the technique so durable.
Fortra describes the value of CalPhishing as repeated exposure. A user might ignore the initial email, then later notice the calendar event, open the invitation, read the description, click a link, or access a referenced file. Over time, the event can start to look like an unfinished work task, while calendar reminders keep bringing it back into view. In other words, the lure does not depend on you reading one email at one moment. It moves into your calendar and waits, resurfacing on its own schedule, even if you deleted the message that delivered it.
Fortra notes the attackers use one of four CalPhishing techniques to deliver this follow-up content, though the specific four are detailed in Fortra's own research rather than the summary coverage. The principle that matters for you is the same across all of them: a calendar invite or its description carries a link or a referenced file that leads somewhere malicious.
Check the link in that invite before you sign in
Got a Microsoft 365 Group invite, a shared file, or an Outlook calendar event asking you to review a document or sign in? Copy the link out of the invite and paste it below before you enter a password. Our 3-layer engine (Local + APIs + AI) checks the destination against a 550+ brand database and returns a verdict in about 3 seconds. Free, no signup.
Shared files: fake documents, QR codes and credential pages
The shared-file channel works the same way the calendar one does: it borrows the legitimacy of a Microsoft 365 collaboration feature. A shared document, posted into the group or referenced from a calendar event, can be a fake invoice, a fake contract, or a notice that asks you to review and approve something. The document itself may carry a link, or it may show a QR code that moves the attack onto your phone, away from the desktop controls and email scanning your organization relies on.
Whatever the wrapper, the destination is the dangerous part. Fortra states that victims may be prompted to review a document, approve a request, sign in to an account, or download a file, and that the final action can lead to credential theft, token theft, malware delivery, data exposure or further social engineering. The fake sign-in page is the most common payoff: a lookalike Microsoft 365 login that captures your username, password and, if the attack proxies your session, your authenticated token. Token theft is what lets an attacker stay signed in even after MFA, which is why the same kits often pair with the device code phishing and Kali365-style session-stealing techniques we have covered.
How this differs from the Google Calendar scam
If this sounds like the calendar scams you have heard about before, the difference is the platform and the abuse path. The widely reported Google Calendar invite scam works because Google Calendar can auto-add events from incoming Gmail invites, so a stranger's event with a fake invoice or prize link appears on a personal calendar without you accepting anything. That is a consumer Gmail and Google Calendar problem.
The Microsoft 365 version is a workplace problem with an extra step. Here the attacker first establishes a foothold by adding you to a Microsoft 365 Group, then uses Outlook calendar invites and shared files as delivery channels within that trusted context. It is not just a stray calendar event from an unknown sender. It is an orchestrated abuse of group membership, the group mailbox, shared files and the calendar together, designed to read as internal collaboration. The lesson carries across both: a calendar event is a delivery mechanism, not a guarantee that something is legitimate, no matter which platform it lives on.
Why it slips past defenses
Several things line up in the attacker's favor here.
- It rides trusted features. Group invites, shared files and calendar events are normal parts of Microsoft 365 collaboration, so they do not trip the mental alarm a cold email from an unknown sender would.
- It can dodge some email filters. When the lure arrives as group content, a shared file or a calendar invite rather than a classic inbound phishing email, it can avoid controls tuned to scan the email body for links and attachments.
- The calendar makes it persistent. Even if you delete the message, an .ics event stays on your calendar and its reminders keep resurfacing, so a lure you dismissed once gets repeated chances.
- It is hard to investigate. Because the activity is spread across email, Groups, shared files and calendar events, defenders cannot point at one message, which slows response.
Red flags inside Microsoft 365
The page you eventually land on may be a convincing fake, so the signal is everything that happens before you reach a login.
- You were added to a Microsoft 365 Group you did not ask to join. An unexpected group, especially one with an urgent, administrative or account-related theme, deserves the same suspicion as an unexpected email.
- A calendar event you do not remember accepting. An .ics invite that placed an event on your Outlook calendar, with a description that pushes you to review a document or sign in, is a classic CalPhishing setup.
- A shared file that asks you to log in to view it. Legitimate Microsoft 365 sharing does not usually bounce you to a separate sign-in page. A login prompt after clicking a shared file is a strong tell.
- Workplace urgency themes. Payroll changes, contract renewals, supplier requests and mandatory-training notices are the exact themes Fortra observed. Urgency plus an administrative theme is the combination to distrust.
- A QR code inside a shared document. A QR code that moves you to your phone to sign in is an attempt to leave the desktop controls behind. Treat it like any other unverified link.
- The login URL is not the exact Microsoft domain. Look at the real address bar, not at any branding on the page. Microsoft sign-in happens on login.microsoftonline.com and related official hosts, never on a lookalike.
What to do
- Do not sign in from a link inside an invite or shared file. If a calendar event or shared document sends you to a Microsoft 365 login, stop. Open a new tab and go to office.com or your organization's portal yourself. A real sign-in does not need to arrive through a calendar reminder.
- Verify the link before it opens. Copy the link out of the invite or document and check it before you enter anything. A browser-layer scanner that flags the lookalike login host stops you at the only point in the attack where it is beatable.
- Treat unexpected groups, meetings and files like unexpected emails. This is Fortra's own recommendation: apply the same caution to an unexpected group, meeting or shared file that you would to an unexpected email, especially when the theme is urgent, administrative or account related.
- Remove the calendar event and leave the group. Decline and delete the malicious .ics event so its reminders stop resurfacing, and leave the attacker-controlled group. If your tenant admin can remove it, report it so the same group cannot reach colleagues.
- If you signed in, revoke your sessions. Because token theft is a goal here, changing your password is not enough on its own. Sign out of all active sessions in your account security settings, re-enroll MFA, and tell your IT or security team at once. See what to do right after a scam for the full sequence.
How to report it
- Report it to your IT or security team first if it is a work account. A compromised Microsoft 365 session can be used against your whole organization, and fast session revocation by an admin limits the damage. The admin can also remove the malicious group and event for everyone.
- Forward the phishing to Microsoft. Microsoft phishing reports go to [email protected], which helps Microsoft blocklist the campaign.
- In the US, report to the FBI Internet Crime Complaint Center at ic3.gov and to the FTC at reportfraud.ftc.gov if money or account access was lost. In the UK, forward suspicious emails to [email protected] and report to Action Fraud.
- Submit the fake login URL. Report the lookalike sign-in address to Google Safe Browsing and PhishTank so the next person who sees the same invite is warned.
How SafeBrowz helps against CalPhishing
SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI. CalPhishing hides the lure inside trusted Microsoft 365 features, but the link in a calendar invite or a shared file still has to point somewhere, and that destination is checkable.
- Layer 1 - Local detection: 60+ URL pattern signatures plus a 550+ brand database (Microsoft included) plus homograph and Punycode checks, all running inside the extension before the page renders. When you open the link in a calendar invite or shared file and it leads to a Microsoft 365 login on a non-official host, SafeBrowz flags the lookalike before you can type a password.
- Layer 2 - API checks: aggregates Google Safe Browsing, PhishTank, URLhaus and ScamAdviser feeds plus 30+ scam TLD lists to flag hostnames already reported as malicious, which covers known CalPhishing campaign domains.
- Layer 3 - AI deep scan (Premium): 100+ language content analysis flags a brand-new fake Microsoft 365 sign-in page in seconds, including one fronted by a fake document or QR-code step, before it can harvest your credentials.
The free SafeBrowz extension for Chrome, Firefox and Edge (Safari coming soon) and the live SafeBrowz Android app both check the link inside an invite or shared file before it opens and flag the lookalike Microsoft 365 login page used to harvest credentials. Honest scope: SafeBrowz checks the destination link, so it stops you at the fake login. It cannot stop an attacker from adding you to a group or dropping an event on your calendar, which is why removing the event and reporting the group matters too.
Detection signatures are derived from threat-intelligence research and our internal brand database, not from user browsing data. SafeBrowz does not store per-user browsing history.
Where browser-layer defense fits
CalPhishing wins by hiding inside the collaboration tools you trust, so you cannot rely on a message looking obviously wrong. The fake page at the end of the chain, though, lives on a host that is not Microsoft's, and that is checkable before it renders. A brand-aware scanner that reads the destination of a link inside a calendar invite or shared file flags a Microsoft-styled login on a non-official host and stops you there. SafeBrowz is a free extension for Chrome, Firefox and Edge (Safari coming soon), plus a live SafeBrowz Android app, that checks every URL before it renders against a 550+ brand database, with 60+ URL pattern signatures and optional AI deep scan. Learn how to spot a Microsoft phishing email, see how to tell if a website is a scam, install SafeBrowz, and never sign in from a link inside an invite.
Install SafeBrowz free
Add the browser extension, or the SafeBrowz Android app, that runs every check in this article automatically. It flags the lookalike Microsoft 365 login that a CalPhishing invite or shared file leads to, before you can type a password. Free forever, with optional Premium AI deep scan at $14.99 per year.
Add to Chrome
Add to Firefox
Add to Edge
Get it on Google Play
Frequently asked questions
What is CalPhishing?
CalPhishing, short for calendar phishing, is a technique that uses Outlook and Microsoft 365 calendar features to deliver phishing lures through meeting invitations and .ics files that place events directly on a victim's calendar. Fortra reported it on June 23, 2026 as part of a broader campaign that abuses Microsoft 365 Groups and collaboration tools. Its value to attackers is repeated exposure: even if you ignore the first email, the calendar event and its reminders keep resurfacing, so over time the lure starts to look like an unfinished work task you keep meaning to handle.
How do attackers abuse Microsoft 365 Groups?
The attacker adds you to, or invites you into, a Microsoft 365 Group they control. The group's name, description or welcome message uses an urgent workplace theme such as payroll, contract renewal, supplier request or mandatory training to seem legitimate. Once you are a member, the attacker delivers phishing through the group mailbox, shared files or Outlook calendar invites. Because all of these are normal collaboration features, the lure looks like routine work and can avoid email filters tuned to scan inbound messages.
How is this different from the Google Calendar invite scam?
The Google Calendar scam abuses a consumer feature: Google Calendar can auto-add events from Gmail invites, so a stranger's fake invoice or prize event appears on a personal calendar without you accepting it. The Microsoft 365 version is a workplace attack with an extra step. The attacker first adds you to a Microsoft 365 Group, then uses Outlook calendar invites and shared files as delivery channels inside that trusted group context, so it reads as internal collaboration. Both teach the same lesson: a calendar event is a delivery mechanism, not proof that something is legitimate.
What happens if I click the link in a CalPhishing invite?
According to Fortra, you may be prompted to review a document, approve a request, sign in to an account, or download a file, and the final action can lead to credential theft, token theft, malware delivery, data exposure or further social engineering. The most common payoff is a fake Microsoft 365 sign-in page that harvests your username and password, and if the attack proxies your session, your authenticated token. Token theft is what lets an attacker stay signed in even after you pass MFA, so revoking active sessions, not just changing your password, is essential if you entered credentials.
How does SafeBrowz help against CalPhishing?
SafeBrowz checks the link inside a calendar invite or shared file before it opens and flags the lookalike Microsoft 365 login page used to harvest credentials. Its 3-layer engine (Local plus APIs plus AI) compares the destination against a 550+ brand database that includes Microsoft, runs 60+ URL pattern signatures, aggregates Google Safe Browsing, PhishTank and other feeds, and adds a Premium AI deep scan for brand-new fake login pages. It is a free extension for Chrome, Firefox and Edge (Safari coming soon) and a live Android app. It stops you at the fake login, though removing the malicious calendar event and reporting the group to your admin still matters.
Related SafeBrowz coverage
- The Google Calendar invite scam, and why events auto-add
- How to spot a Microsoft phishing email
- Microsoft device code phishing
- FBI warning: the Kali365 Microsoft 365 phishing kit
- The Slack workspace invite phishing scam
- How to tell if a website is a scam
Bottom line: CalPhishing works because it hides inside Microsoft 365 collaboration tools you already trust. The attacker adds you to a group, then delivers the lure through Outlook calendar invites and shared files, and the calendar reminders keep it alive even after you delete the email. Treat an unexpected group, meeting or shared file with the same caution as an unexpected email, never sign in from a link inside one, and verify the destination first. Keep SafeBrowz on your browser so the lookalike Microsoft 365 login at the end of the chain is flagged before you can type your password.