Privacy Ninja

Google Calendar Provides New Way to Block Invitation Phishing

Google Calendar Provides New Way to Block Invitation Phishing

The Google Workspace team announced today that it started rolling out a new method to block Google Calendar invitation spam, available to all customers, including legacy G Suite Basic and Business users.

“To help keep your Google Calendar free from spam, you can now select an option to display events on your calendar only if they come from a sender you know,” the Google Workspace team said today.

“If you select this option, you still get email event invitations from unknown senders, but they appear on your calendar only after you accept.”

According to Google, known senders that you would receive invitations from include people in your same company domain, in your contacts list, or with whom you’ve interacted before.

After rolling out, Google Workspace admins can change from the default option allowing invitations from everyone to the new option at the domain level.

Also Read: What does the Computer Misuse Act mean?

Google Calendar invitation choice
Google Calendar invitation choice (Google)

​Adds to previously released block options

As we previously reported in 2019, Google has been working on solutions to block bad actors from spamming Google customers with malicious calendar invites.

Two years later, the company finally made it easy to block unwanted invitations by adding a new “Automatically add invitations” setting, allowing only those previously accepted via email (RSVP’d) instead of having all invitations automatically added to the default calendar.

“As before, you can also choose to have all invitations appear on your calendar, or only those you’ve accepted—letting you customize the display to best meet your needs,” Google added.

“Additionally, admins can set the default reply option for their users in the Google Admin console. Note that end users can indicate their preference in their own Calendar settings.”

Such unwanted calendar invitations are commonly used by threat actors in phishing and malicious campaigns targeting Google Calendar users.

Also Read: Protection Obligation: What every organization should know

Google Calendar spam examples
Google Calendar spam examples (BleepingComputer)

Phishing campaigns that can reach massive numbers of targets​

While, for many, invitation spam might seem to be a harmless issue, spam calendar events can be used to redirect targets to phishing landing pages via malicious URLs.

The end goal of these attacks is to harvest the victims’ credentials or, even worse, infect them with malware that could be used to steal sensitive information or deploy additional malicious payloads.

Since Google Calendar is available for all popular platforms (either as a web or mobile app), such spam campaigns can potentially reach a massive number of potential victims.

To get an idea of how many targets such an attack could reach, the Google Calendar Android app alone has been downloaded more than 1 billion times, according to the app’s Google Play Store entry.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us