Calendar Invite Phishing Attack: How .ICS Files and QR Codes Bypass MFA

Observation Summary

A targeted spear-phishing campaign was identified in which attackers delivered malicious .ics calendar files to users, bypassing standard email security controls entirely.

Rather than embedding a malicious link in an email body where security tools would catch it — the attacker hid a QR code inside a calendar invite, which when scanned, directed the victim to a fake Microsoft authentication page pre-loaded with their email address.

The attack was specifically crafted to steal session tokens and credentials through an Adversary-in-the-Middle (AiTM) proxy, meaning even MFA-enabled accounts were at risk.

What makes this particularly concerning is that the .ics file format is not traditionally treated as a threat vector by email security platforms, giving attackers a reliable delivery path that most organizations are not currently monitoring or filtering.

Who is at Risk

This type of attack does not discriminate by role or department.

Any user who receives and previews a calendar invite — whether they are in Finance, Legal, HR, IT, or the executive team — can be tricked into interacting with a malicious .ics file.

How Calendar Invite as Phishing Vector Works?

The Initial Delivery

Two spear-phishing emails were sent to the target user from the external sender rob@rentrogue[.]com, both carrying .ics file attachments themed around a fabricated regulatory policy review.

Microsoft Defender for Office 365 caught and quarantined one of the two emails. The second was not detected and landed in the user’s inbox.

Exploiting a Security Blind Spot

The .ics format is a standard calendar file type used legitimately every day across enterprise environments. Because it isn’t an executable, a document with macros, or a URL-bearing email body, most email security tools do not detonate or deeply inspect it. The attacker exploited this blind spot deliberately.

Calendar Injection via Preview

The .ics file didn’t do anything on its own — it needed the user to interact with it. Simply previewing the attachment in Outlook was enough to add the malicious calendar entry, without the file ever being downloaded to the endpoint.

This was confirmed during sandbox testing, which also triggered a follow-up invite automatically after the first interaction, suggesting the campaign infrastructure was designed to keep re-engaging the victim.

The QR Code and AiTM Page

Inside the calendar invite was what appeared to be policy documentation alongside a QR code. Sandboxing the QR code resolved to the domain xsbrookers[.]com, which was hosting a fake Microsoft authentication page.

The page was pre-populated with the target user’s email address — confirming this was a targeted, not opportunistic, attack. The infrastructure was consistent with an AiTM setup designed to capture both credentials and authenticated session tokens in real time, bypassing MFA at the session layer.

Indicators of Compromise (IOCs)

Risk / Why It Matters

• Account Takeover — A successful interaction hands the attacker a fully authenticated Microsoft 365 session, bypassing MFA entirely — no credentials needed after that point.
• Targeted by Design — The fake login page was pre-loaded with the victim’s email address. This level of specificity significantly increases the chance a user completes the login flow without suspecting anything.
• Business Impact — A compromised account means full access to email, shared mailboxes, and internal systems. For Finance or AP users, that translates directly to fraud risk, data exposure, and operational disruption.

ProArch Tips to Prevent Calendar Invite Phishing Attacks

• Enable QR code inspection in your email and attachment security stack. The QR code was the bridge between the .ics file and the AiTM phishing page. Without the ability to decode and inspect QR codes within attachments, this delivery chain is effectively invisible to most security tooling.
• Deploy Conditional Access policies that restrict or alert on sign-in attempts from unexpected user agents, anonymous proxies, or IPs with no prior sign-in history for that account.
• Migrate high-risk accounts to phishing-resistant MFA (FIDO2 / hardware keys). AiTM attacks are specifically designed to defeat traditional MFA at the session level.
• Run targeted awareness training for Finance, Legal, and Executive users focused specifically on calendar-based phishing, QR code lures, and the pattern of policy or compliance-themed social engineering.

Organizations working with ProArch are better equipped to detect and prevent emerging threats like calendar invite phishing before they impact the business. Speak with a ProArch Security Expert.