A plain-English deep dive into calendar ransomware and calendar invite phishing for small and mid-sized businesses. Explains how attackers abuse calendar invite files (.ics) to plant fake meetings directly into staff calendars, often with no click required, how the links and QR codes inside lead to credential theft or malware that opens the door to ransomware, why these invites slip past email filters, and the calendar settings, habits, MFA, and monitoring that shut the vector down.
Calendar ransomware: the meeting invite you shouldn't trust
A meeting appears in your diary. You never accepted it, but there it is, reminder set and counting down. Calendar invites have become one of the fastest-growing ways attackers get that first click, and a first click is all ransomware needs.
The short version
Attackers send calendar invite files that many calendars add automatically, no click needed. The fake meeting sits in your diary looking legitimate, and its reminders keep resurfacing the lure.
The invite itself does not encrypt anything. The link or QR code inside it leads to a fake login page or a malicious download, and that stolen account or foothold is where the ransomware attack starts.
The fix is refreshingly boring: calendar settings that stop unknown invites auto-adding, staff who treat invite links like email links, MFA with conditional access, and monitoring for when someone clicks anyway.
What calendar ransomware actually is
Calendar ransomware is not a new strain of malware. It is a new delivery route for the same old attack: phishing that arrives as a meeting invite instead of an email. Attackers craft calendar invite files (the .ics format every calendar app understands) and send them out looking like Teams meetings, payroll briefings, or urgent admin alerts.
Here is the part that surprises most people. Depending on how your calendar is configured, that invite can add itself to your diary as a tentative event without you opening the email, let alone accepting anything. Delete the email and the event can still sit there. Then the reminders start firing, ten minutes before the fake meeting, putting the attacker's link in front of you again and again through an interface you trust completely: your own calendar.
We covered how ransomware behaves once it is inside in our ransomware deep dive. This is about the front door, because the invite in your diary is step one of that same playbook.
Payroll Update: Action Required
Tentative1Today, 2:30 PM - 3:00 PM
IT Service Desk <servicedesk@m365-security-check.com>2
Reminder: 10 minutes before
https://m365-verify.login-check.com/join?u=you3
- 1The event added itself as 'Tentative'. Nobody accepted anything.
- 2The organiser's domain is not your company, and it is not Microsoft either.
- 3The 'join' link goes nowhere near teams.microsoft.com.
How the attack unfolds
The sequence is simple. An invite lands and slides into your calendar. A reminder pops up. You click the meeting link, or scan the QR code, because that is what you do a dozen times a week. What loads is not a meeting: it is a fake Microsoft 365 sign-in page, sometimes already pre-filled with your email address, or a download pretending to be a meeting client.
The nastier versions proxy your real login behind the scenes, so the page works exactly as expected while the attacker captures your password and your signed-in session. Done that way, even an account with MFA turned on can be hijacked. From there it is the standard ransomware playbook: look around, find the backups, spread, encrypt, extort.
Fake meeting links
A 'Join meeting' link that looks like Teams or Zoom but leads to a fake login page, or a download dressed up as a meeting app.
QR codes in invites
A QR code moves you to your phone, away from your company's security tools, and onto a sign-in page already pre-filled with your email address.
Urgent 'admin' events
Payroll updates, policy reviews, missed voicemails. Anything that makes a calendar reminder feel routine and worth clicking.
Why it slips past your filters
Email security spent years learning to distrust attachments and links. Calendar files snuck under that radar. An .ics file is plain text, invites from outside your business are perfectly normal, and plenty of filters wave them through with barely a look. Some campaigns never even need the email to be read, because the calendar processes the invite on its own.
The reminder is the weapon. A phishing email gets one chance in a crowded inbox. A calendar event gets a dedicated pop-up, delivered by your own device at a moment you are primed to click "join". That is why this vector converts so well for attackers.
There is one more trap worth knowing: declining the invite feels like the polite fix, but a decline sends a response straight back to the attacker, confirming your address is real and actively used. That puts you on the list for the next round.
How to shut it down
None of this requires new tools you have never heard of. It is a settings change, a habit, and the same layered controls that stop the rest of the phishing family.
Tighten calendar settings
Outlook and Google Calendar can both be set to only add events from people you know, or after you respond. Your IT provider can enforce this across the whole business.
Delete and report, never decline
Declining sends a reply that confirms your address is live and watched. Report the invite as phishing and remove it instead.
MFA and conditional access
Strong MFA and conditional access limit what a stolen password, or even a stolen session, can actually do with your account.
Email security and monitoring
Modern email security inspects calendar files, not just attachments and links. EDR and a monitored SOC catch the follow-on activity when someone clicks anyway.
The account takeover side of this, and why MFA plus conditional access matters so much, is covered in our deep dive on MFA and business email compromise. And if a click does turn into something worse, tested backups are what turn a crisis into a recovery, which we unpack in business continuity and disaster recovery.
The takeaway
Calendar ransomware is not a new kind of ransomware. It is a new front door for the same attack, chosen because your calendar is the one place you never expect to be lied to. Close the door with sensible calendar settings, teach your team that an unexpected invite deserves the same suspicion as an unexpected link, and keep the layers behind it strong.
Getting those settings enforced across every mailbox, and having someone actually watching for the sign-in that should not be there, is exactly what our managed security service does. If a strange meeting has already shown up in someone's diary, that conversation is worth having today rather than after the reminder fires.
Common questions
A meeting I never accepted has appeared in my calendar. What should I do?
Do not click any links in it and do not decline it, because declining sends a reply that tells the attacker your address is real. Report it as phishing if your mail client allows, then delete the event. If you already clicked a link or entered your password, tell your IT provider immediately so they can reset the account and check for suspicious sign-ins.
Can a calendar invite really install ransomware?
Not by itself. The invite is the lure, not the payload. The danger is the link or QR code inside it, which leads to a fake login page that steals your credentials or a download that gives the attacker remote access. Either one is the foothold a ransomware attack starts from.
Why don't spam filters catch malicious invites?
Calendar invite files (.ics) are plain text, and receiving invites from people outside your business is completely normal, so many email filters give them an easy ride. Worse, some calendars process the invite and create the event even if the email itself is never opened, so the lure lands in your diary regardless.
How do I stop invites adding themselves to my calendar?
Both Outlook and Google Calendar have settings to only add invitations from known senders, or only after you accept. In a business, these settings are best applied centrally so every staff member is covered, which is something your IT provider can do in minutes.