I've noticed a troubling trend where users are receiving calendar invites that include phishing links disguised as urgent messages about Microsoft domain expirations. The invites often claim to require action and feature links to fake admin portals. While the original email gets quarantined by Avanan, the invites can still be automatically added to users' calendars, making them vulnerable. Users appreciate having these invites on their calendars without needing to accept them, but I'm worried about this security risk. I'm wondering how I can better manage this situation while keeping users comfortable with their calendar functionality. Any suggestions?
4 Answers
I totally get your frustration. A good immediate step could be turning off Outlook's feature that automatically adds meeting invites unless a user manually clicks 'Accept'. You can create a mail flow rule in the Exchange Admin Center that targets external senders for calendar invites. This way, any external invites won't get automatically processed, which will force users to open and review them first. Here's a quick setup:
1. Go to Exchange Admin Center -> Mail Flow -> Rules -> Add (+)
2. Name it: 'Block external calendar invites auto-processing'
3. Set conditions for it to apply only to external senders and email types that are calendar invites.
4. Then, set the header 'X-MS-Exchange-Organization-BypassMeetingMessageProcessing' to true to prevent automatic processing.
That's a clever idea! Even if it has some limitations, it sounds like it's worth exploring further.
We've noticed this issue too, primarily from certain domains, even some that are flagged as Japanese. What’s worrisome is that these invites show up in users' Teams activity feeds as well. It's definitely an area that needs more scrutiny.
Is it a mystery how these emails are getting delivered at all? I always thought effective email filters would quarantine such obvious spam instead of delivering it. It’s alarming that this is happening.
I’ve only seen a few of these phishing attempts directed at high-level executives in our company, but I've heard they're getting reported more often. It's a serious concern.
Just a heads up, I tried implementing this rule and hit a snag. It seems Microsoft now locks that header to internal use only in Exchange Online, so it's not working as we hoped. I'm still trying to find a solution to keep those unwanted invites out, especially from external sources. Anyone else know of a workaround?