A technique that adds victims to attacker-controlled collaboration groups turns Microsoft's own infrastructure into a persistent delivery channel and keeps the phishing hook alive through calendar reminders long after the original email is gone.

 

What happened

Researchers have identified a phishing campaign that abuses Microsoft 365 Groups, a legitimate collaboration feature used by organizations to coordinate teams and share files, to deliver malicious content through channels that email security tools do not typically scrutinize. According to CyberSecurityNews, attackers create or take control of a Microsoft 365 group and add victims either directly or through an invite. Group names such as "IT Support," "HR Updates," "Finance Review," or "All Company" are chosen to mimic legitimate internal communications. The welcome email looks clean, the group name appears routine, and nothing triggers an immediate alert. Once the victim is inside the attacker-controlled group, follow-up phishing content arrives through the group mailbox, shared documents, or calendar invites, each step mirroring a genuine Microsoft 365 collaboration workflow. Content delivered through the group can include links to credential-harvesting pages, QR codes pointing to phishing sites, or macro-laced documents. The potential outcomes include credential theft, session token capture, malware delivery, data exposure, and further social engineering.

 

Going deeper

The most persistent element of this campaign is a technique researchers call CalPhishing. Once the attacker gains entry through the group invite, a malicious calendar event in .ics format is sent to the victim's Outlook calendar. The calendar entry continues sending reminders, keeping the phishing attempt active long after the original email may have been deleted, filtered, or missed. The calendar invite is formatted to resemble a legitimate work obligation, a project meeting, an HR deadline, an admin alert, or an invoice review, and each reminder creates a fresh opportunity for the victim to act on it. The effect is that the phishing hook stops feeling like an unsolicited message and starts feeling like an unresolved work task. Because the attack runs through Microsoft's own infrastructure, early-stage detection tools that assess email sender reputation and link safety may not flag it. Investigators responding to incidents generated by this technique need to trace further than the inbox, checking who created the group, who was added, what files were shared, and whether calendar entries remain active even after mail remediation.

 

What was said

Researchers stated in their analysis cited by CyberSecurityNews that the technique "shifts malicious intent away from a single phishing email into a trusted productivity workflow," and that "a user may see what looks like a normal group addition, internal update, shared resource, or calendar item before being pushed toward an action." Researchers recommended that organizations block the sender domain groups.outlook.com at the gateway level to stop external group notifications, and that employees be trained to treat unexpected group additions and meeting invites with the same caution they would apply to any unsolicited email.

 

In the know

Calendar-based phishing using legitimate platform infrastructure is an established and growing attack category. According to BleepingComputer, a campaign documented in 2025 abused Apple iCloud Calendar invites to deliver phishing content from Apple's own email servers, exploiting the same trust signal this Microsoft 365 Groups campaign relies on, legitimate platform infrastructure carrying malicious content. KnowBe4's April 2026 phishing trends report documented a 49% increase in calendar invite phishing attacks in the six months to April 2026, confirming that calendar-format lures are a growing category rather than an isolated technique.

 

The big picture

Healthcare organizations run Microsoft 365 at scale and use its collaboration features daily for clinical coordination, administrative workflows, and interdepartmental communications. A group invite arriving from what appears to be an "HR Updates" or "IT Support" group fits naturally into the flow of communications that healthcare staff process routinely. The persistent calendar reminder element is particularly relevant for clinical environments, where staff are conditioned to act on meeting requests and deadline notifications without applying the same scrutiny they might to an unsolicited email. According to Paubox's 2026 Healthcare Email Security Report, 53% of breached healthcare organizations in 2025 used Microsoft 365, and security gaps in how organizations configure and monitor Microsoft 365 collaboration features remain among the most consequential. Email security tools that scan inbound messages do not automatically extend their coverage to content delivered through group mailboxes or shared documents, creating exactly the blind spot this campaign exploits.

 

FAQs

What is a Microsoft 365 Group, and how does it normally function?

A Microsoft 365 Group is a collaboration space that connects a shared email inbox, calendar, file storage, and other tools for a defined set of users. Organizations use groups for team coordination, project management, and internal communications. Members receive group emails, share documents, and see shared calendar events automatically.

 

Why does content delivered through a group mailbox bypass standard email security checks?

Email security tools typically assess inbound messages based on sender reputation, link safety, and attachment scanning. When content arrives through a Microsoft 365 group that the victim is already a member of, it may be treated as internal communication rather than an external inbound message, reducing the scrutiny applied to links and attachments within that content.

 

What makes CalPhishing more effective than a standard one-time phishing email?

A standard phishing email is a single event if the recipient misses it, deletes it, or the security tool filters it, the attack opportunity passes. A malicious calendar entry generates repeated reminders on the victim's own schedule, creating multiple future opportunities for the victim to act on it. The format also normalizes the interaction as a work obligation rather than a suspicious message.

 

What should IT teams do when investigating a suspected Microsoft 365 Groups phishing incident?

Remediation should extend beyond deleting the phishing email. Investigators should identify the attacker-controlled group, remove the victim from it, audit all content shared through the group, including files and links, check the victim's calendar for malicious .ics entries and delete them, and review group membership logs to determine whether other users were added and may have received the same content.

 

What organizational controls reduce exposure to this attack?

Blocking external additions to Microsoft 365 groups through administrative policy prevents attackers from adding victims without internal approval. Configuring Conditional Access policies to restrict group creation and membership management to authorized users reduces the attack surface. Training staff specifically to question unexpected group additions and calendar invites, particularly those with urgent or administrative themes, addresses the social engineering layer.