CalPhishing Scam Uses EvilTokens Kit, Outlook Invites to Steal M365 Sessions

The rise of CalPhishing reflects a shift in social engineering, exploiting the trust users place in calendar applications. Outlook’s default behavior automatically processes .ics attachments, creating tentative meetings without user interaction. This silent insertion means the malicious payload can sit on a calendar for days, generating reminders that increase the likelihood of a victim opening the embedded HTML link. By disguising the invite as routine administrative alerts—such as domain renewal failures or signature requests—attackers blend into the noise of everyday inbox traffic, making detection challenging for both users and traditional email filters.

At the core of the campaign is the EvilTokens phishing kit, a commercially available tool circulating on Telegram. The kit automates the ConsentFix technique, which captures Microsoft 365 session tokens rather than passwords. Because these tokens authenticate a user’s active session, they render multi‑factor authentication ineffective once stolen. Threat actors can then impersonate the victim, exfiltrate data, or manipulate cloud resources without triggering typical credential‑based alerts. This method underscores a broader industry concern: the growing commoditization of advanced credential‑theft tools that lower the barrier for less‑skilled actors to launch sophisticated, persistent attacks against enterprise environments.

Mitigating CalPhishing requires a multi‑layered approach. Organizations should configure Outlook to block or quarantine .ics files from unknown senders and educate users to verify calendar entries through secondary channels. Security teams need to implement hard‑delete policies that fully remove malicious meetings and monitor for anomalous token usage in Azure AD sign‑in logs. Additionally, leveraging AI‑driven threat detection can help identify the high‑volume, automated dispatch of malicious invites. As attackers continue to automate social‑engineering at scale, proactive defenses and continuous user awareness remain essential to protect Microsoft 365 ecosystems.