Using calendars and meeting invites for initial access
Learn how red team operators can use calendars and meeting invites to gain foothold within an organization's network.
You are working on something and you received a calendar invite with the title “Leave Policy Refresh - Q&A Session”. The invite also has a copy of the updated leave policy attached to it. Curious, you open the attachment to see what has been updated in the new policy while silently that document sent out a reverse shell to the red team operator.
Modern work life runs on calendars. If something is on your calendar, chances are you’ll attend it, prepare for it, or at the very least open it. People trust calendar invites more than regular emails because they feel official. They come with times, names, and subjects that make them look organized and legitimate.
Follow my journey of 100 Days of Red Team on WhatsApp, Telegram or Discord.
Most people don’t think of their calendar as a security risk. It’s just where meetings live, right? But for red teams, calendars can be a hidden goldmine. When used creatively, as demonstrated above, meeting invites can be just as powerful as a phishing email or a malicious link. This is also known as Calendar Phishing.
Here are several ways red teams can use calendar invites as part of a broader attack plan:
1. Malicious Calendar Invites
Red team operators can send fake meeting invites that include links to malicious documents or websites. These invites often appear to come from internal users, like someone from HR, finance, or IT, and carry titles like:
“Q3 Updates”
“New HR Policy Review”
Because the meeting looks routine and the link is inside the calendar invite (not an email), most employees are more likely to click without verifying.
2. Pretext Meetings With Fake Executives
Another way calendar invites and meetings can be leveraged is by sending invites for quick calls where someone impersonates a senior leader. This is often done using simple tricks like keeping their camera off and speaking confidently or using deepfake techonology to impersionate voice. Since it’s “on the calendar,” the meeting feels real, and the employee is more likely to follow instructions like sharing files, credentials, or access.
3. Timing Distractions
Another tactic is to create fake meetings that distract employees at just the right time—like when a phishing email is sent or when a file is being delivered. If the employee is already in a meeting (real or fake), they’re more likely to make rushed decisions.
4. Calendar Reconnaissance
Public or shared calendars can reveal a lot of useful information:
Who is meeting whom, and when
When key staff are traveling or out of office
Recurring vendor or IT meetings (useful for impersonation)
High-pressure times (end-of-quarter reviews, system migrations)
This data can help red teams time their attacks when the target is most distracted or vulnerable.
5. Planting Calendar Malware
Some calendar systems allow attachments or embedded links. In rare cases, attackers can exploit vulnerable calendar systems (like through ICS files or calendar subscriptions) to automatically load harmful content onto a device—especially if calendar syncing is poorly configured.
These calendar-based attacks work because unlike emails, which are often scanned for suspicious content or flagged by filters, calendar invites are seen as harmless and are rarely questioned. The timing of these invites also plays a big role. If a meeting is scheduled toward the end of the day, right before a weekend, or during a busy period, employees are more likely to click on links or download attachments quickly, without proper scrutiny.
Recently, Wired published an article, Google Calendar Malware Is on the Rise. Here’s How to Stay Safe, explaining how attackers are leveraging Google Calendar for spreading malware.
Red Team Notes
Red teams are using calendar invites as an overlooked but effective attack vector. People trust what's on their calendar, making them more likely to click links, download files, or join fake meetings without second-guessing.
Attack techniques include:
- Sending fake invites with malicious links or files.
- Scheduling calls with spoofed identities or deepfakes.
- Distracting targets with meetings during phishing attacks.
- Harvesting intel from shared/public calendars.
- Planting invites that look like routine internal meetings.
Follow my journey of 100 Days of Red Team on WhatsApp, Telegram or Discord.