SecurityApril 2026·6 min read

Google Calendar Phishing — How Attackers Use Calendar Invites

Q: How do I stop Google Calendar invite spam?

Go to Google Calendar Settings → Event Settings and change "Automatically add invitations" to "No, only show invitations to which I have responded." Also enable "Only view invitations from known senders." This prevents unknown senders from automatically adding events to your calendar.

Calendar invites bypass email spam filters entirely because they travel through Google's own infrastructure. Here's exactly how the attack works — and the specific signals that reveal a fake invite.

In 2024 and 2025, Google Calendar phishing attacks surged by over 300% according to security researchers. The reason is straightforward: calendar invites are one of the last communication channels where spam filters have minimal effect.

When an attacker sends you a calendar invite, the notification is delivered through Google Calendar's own servers — the same infrastructure that delivers legitimate meeting invites from your colleagues. Gmail sees this as a trusted Google system message, not an external phishing email.

The result: attackers bypass an entire layer of email security, delivering malicious content directly to your inbox and calendar without triggering a single spam rule.

How Google Calendar Phishing Works

The attack requires no technical sophistication. Here's the four-step playbook used in most calendar phishing campaigns:

Attacker creates a Google account

No hacking required. Attackers simply create a free Google account — taking seconds. The resulting calendar invites appear to come from google.com infrastructure.

Fake event is crafted with a phishing link

The event title uses urgency: "ACTION REQUIRED: Your account will be suspended" or "Payment failed — click to verify." The event description contains the malicious URL, often obfuscated through a URL shortener or redirect.

Invite is sent to target email addresses

Google Calendar sends a standard calendar invitation notification. Gmail delivers it as a calendar-type message — not a promotional or spam email. The message looks identical to a legitimate calendar invite from a colleague.

Victim clicks the link in the event

The event appears in both Gmail and Google Calendar automatically (if auto-accept is enabled). The victim clicks what looks like a legitimate Google notification, landing on a phishing page designed to harvest credentials or payment info.

Real Warning Signs to Look For

Unknown organizer email

The organizer's Google account is brand new, uses a random string of characters, or has no profile information. Legitimate business invites come from verifiable company domains.

Urgency language in event title

"URGENT", "ACTION REQUIRED", "Account suspended", "Payment failed" — calendar events from real services don't use this language. Urgency is a social engineering trigger.

URL in event description (especially shortened)

Legitimate calendar invites reference conference rooms, video call links from known providers (Zoom, Meet), or company domains. An unfamiliar URL or a bit.ly/tinyurl link in an event description is a red flag.

No mutual connections or company match

You've never communicated with this person, they're not in your company directory, and the event has no context for how they know you.

Phone numbers instead of links

Some variants use phone numbers instead of URLs — "Call this number to verify your account." These are vishing (voice phishing) attacks delivered via calendar.

Event added without your acceptance

If your Google Calendar is set to auto-accept invitations from anyone, the event appears in your calendar before you've made any decision. Legitimate contacts in your org usually don't require manual acceptance.

Why Gmail Spam Filters Miss Calendar Phishing

Gmail's spam filters operate primarily on email headers and body content — sender reputation, SPF/DKIM records, known-bad domains, and content patterns that match phishing templates. Calendar invites bypass every one of these checks.

When a calendar invite is sent, the .ics file travels as a Google Calendar notification, not a regular email. The sending domain is calendar.google.com — a domain Gmail inherently trusts. The SPF and DKIM records pass perfectly because Google is the sender.

Standard spam classifiers are also not trained to parse .ics file content for phishing signals. They look at the email envelope, not the embedded event description. An attacker can write https://steal-your-password.xyz in an event description and no email spam rule will flag it.

Additionally, Google Calendar's default setting "Automatically add invitations" means the event appears in your calendar before you even open the email notification — making it feel like a legitimate scheduled event rather than an incoming threat.

How Gorganizer Detects ICS Phishing

Gorganizer's scoring engine includes the ics-embedded-url-phishing signal, which parses .ics file content inside email attachments and applies URL reputation checks, domain analysis, and phishing pattern matching to any URLs found in DESCRIPTION, LOCATION, or URL fields of calendar events.

Additional signals fire on calendar invites with urgency language in SUMMARY fields, invites from domains with no prior communication history, and events where the organizer email address shows signs of being newly created or bulk-registered.

ics-embedded-url-phishing

Parses .ics attachments for malicious URLs

calendar-urgency-language

Detects urgency patterns in event titles

unknown-organizer-domain

Flags invites from unrecognized domains

How to Protect Yourself Right Now

1In Google Calendar Settings → Event Settings, set "Automatically add invitations" to "No, only show invitations to which I have responded."
2Enable "Only view invitations from known senders" in Calendar settings.
3Never click links in calendar invites from unknown senders — navigate directly to the service instead.
4If an invite claims to be from a company (bank, PayPal, Google), verify by going to that company's site directly, not through the invite link.
5Use Gorganizer to scan your inbox and calendar invite history for ICS files with embedded phishing URLs.

Frequently Asked Questions

What is Google Calendar phishing?

Google Calendar phishing is a social engineering attack where attackers send fake calendar invites containing malicious links. Because invites arrive through Google's own Calendar infrastructure, Gmail's spam filters often let them through.

How do I stop Google Calendar invite spam?

Go to Google Calendar Settings → Event Settings and set "Automatically add invitations" to "No, only show invitations to which I have responded." Also enable the option to only see invites from known senders.

Can Gmail spam filters stop calendar phishing?

Standard Gmail spam filters struggle with calendar phishing because invites arrive via Google's own Calendar system rather than as regular emails. Gorganizer's scoring engine specifically detects ICS files containing phishing URLs and other calendar invite red flags.

Scan Your Inbox for Phishing

Gorganizer detects calendar phishing, ICS-embedded URLs, and 1,751+ other threat signals across your entire Gmail inbox.

Scan My Inbox for Phishing

Back to Blog