Google Workspace, Security

Your calendar might be lying to you: How hackers are bypassing email security

Jana Brnakova
Jana Brnakova
November 21, 2025

You see a spammy email in your inbox. You delete it. You think, “Nice try,” and move on with your day. 

Ten minutes later, you get a reminder on your phone for a meeting you don’t remember accepting. You click the notification to see what it is, and just like that, you’ve walked into the trap.

This is the reality of  ICS phishing or calendar-based phishing. Attackers have realized that while we are all pretty suspicious of our email inboxes, we tend to trust our calendars blindly. And because of that trust, they are using simple calendar invites to bypass even expensive security tools.

Here is how it works, why it’s effective, and, most importantly, how we can help you stop it.

This attack bypasses 59% of email gateways

The numbers here are actually pretty worrying. Research shows that attacks using calendar files (the .ics attachments) are bypassing 59% of Secure Email Gateways (SEGs).

Why? Because most security tools are built to scan emails for bad links or viruses. When they see a standard calendar file, they often treat it as harmless text. They wave it through the gate, straight to your employee’s laptop.

Why deleting the email doesn’t stop the attack

The reason this technique is so successful is that it is a double threat.

When an attacker sends a malicious invite, it usually goes to two places: your inbox (as an email) and your schedule (as a ghost event).

Even if your security software catches the email and quarantines it, services like Google Workspace and Microsoft 365 often automatically put these events on the user’s calendar.

So, even if the email doesn’t work anymore, the invite is still there on your calendar, waiting for you to click a link in the description or Location field. And if attackers can get a notification to appear on your phone screen, curiosity will often do the rest.

One setting you should change right now

If you are an admin for Google Workspace, there is one setting you should change right away to stop invites from unknown sources from appearing on user calendars without interaction.

By default, many systems automatically add invites to a user’s calendar, even if they haven’t accepted them yet. You need to turn this setting off.

👉 Fix it by changing your Google Workspace settings so that invites are only added to the calendar if the sender is known.

It’s not just calendars: Where else are you exposed?

Changing that one calendar setting is smart, but it’s just a temporary solution for a much bigger issue. If attackers can reach your calendar, what else is exposed that you don’t know about?

In our experience, most organizations have dozens of open windows they aren’t even aware of. It’s not because their IT team doesn’t do a good job but because cloud environments like Google Workspace are massive and settings change constantly.

Find the security leaks before attackers do

So unless you have a dedicated full-time expert constantly checking your digital workplace, you might want to consider working with an external partner like Revolgy, either as a one-time scan or having your security taken care of on a regular basis.

As a certified Google partner, we are the security partner that checks the things you forgot or didn’t know about. We review how your team actually uses their tools versus how you think they use them.

When we audit a company, we often find critical risks that standard scans miss:

  • The deep-dive audit: We start by giving you a clear picture of where you stand. Our audit isn’t just a basic log check; we evaluate dozens of specific items across critical areas, covering everything from user accounts and mobile devices to third-party app permissions.

 

  • We specifically target the blind spots mentioned above:

    • App permissions: We identify every app connected to your data and help you block the ones that are dangerous or non-compliant.

    • Data leaks: We hunt down those hidden forwarding rules and lock down Shared Drive settings to ensure only the right people have access.

    • Calendar security: We review your sharing settings to ensure you aren’t accidentally broadcasting your team’s schedule to the public internet.

  • Actionable plans, not just reports: We provide clear, practical recommendations customized to your business. We did this for the IT company Hooloovoo, helping them tighten their security posture enough to get through an ISO audit.

  • Ongoing protection & training security: We offer 24/7 monitoring to catch threats in real time, and we provide hands-on training to help your employees build better habits. Whether you need to meet strict compliance standards (like ISO 27001, SOC 2/3, or HIPAA) or just want to protect your IP, we make sure your setup is audit-ready.

You don’t need to be paranoid; you just need to be prepared. Contact us today for a free security consultation, and let’s make sure your environment is as secure as you think it is.
Jana Brnakova

Jana Brnakova

I work as a content marketing specialist for Revolgy. I enjoy writing readable content on various topics, mainly about technology & travel.

Related posts

Set working locations for specific portions of the day in Google Calendar

Set working locations for specific portions of the day in Google Calendar

In response to the growing demands of the hybrid work model, Google is adding more flexibility to...

Read more
Paid appointments in Google Calendar made easy with Stripe

Paid appointments in Google Calendar made easy with Stripe

Google Calendar has recently rolled out a feature to improve the experience of booking and managing...

Read more