H-ISAC Flags CalPhishing Threat Exploiting Calendar Auto-Processing to Harvest Login Credentials

The emergence of calendar‑based phishing marks a shift in how threat actors target healthcare institutions. By slipping malicious .ics files into routine meeting requests, attackers exploit the inherent trust employees place in their schedules. Traditional email gateways, hardened over years, often miss these invites because the payload is processed before the message reaches the inbox, allowing the threat to infiltrate even the most vigilant environments.

Technical analysis shows the attack chain relies on automatic calendar processing to seed a meeting entry that contains a phishing URL. When the victim clicks, they are directed to a spoofed login page that employs the ConsentFix device‑code flow, capturing session tokens that grant password‑less access to cloud services. This bypasses multi‑factor authentication, giving attackers persistent footholds. Moreover, the calendar event remains active despite email deletion, continuously prompting users and extending the window for credential theft.

Mitigation requires a multi‑layered response. Organizations should disable automatic handling of external .ics files, forcing manual review of calendar invites. Email gateways must treat calendar attachments as active content, scanning for embedded URLs and suspicious domains. Conditional access policies should restrict device‑code authentication flows, and incident response playbooks need explicit hard‑delete steps for malicious events. Coupled with targeted awareness training for clinical and administrative staff, these controls can close the calendar gap and protect PHI from this evolving vector.