CalPhishing: How Hackers Steal M365 Sessions Through Outlook Calendar Invites

Forget credential harvesting pages and SMS interceptors — attackers have found an elegant way to hijack Microsoft 365 accounts that requires no password theft and no MFA code interception. A campaign dubbed CalPhishing, powered by the EvilTokens phishing-as-a-service kit, is weaponizing Outlook calendar invitations to silently steal OAuth session tokens from enterprise users, with hundreds of organizations compromised daily across multiple continents since February 2026.

How CalPhishing Weaponizes Outlook Calendar Invites

The attack begins with something most employees would never suspect: an iCalendar (.ics) file delivered via email. Unlike traditional phishing that depends on a victim clicking a link in the message body, CalPhishing inserts a meeting directly onto the target's Outlook calendar without the recipient ever needing to open or read the original email. The calendar event itself contains a URL disguised as a meeting link — a Teams session, a Zoom bridge, or a document review — that redirects the victim to a device code authentication page hosted on Microsoft's own legitimate login domain at microsoft.com/devicelogin.

Because the authentication prompt is genuinely Microsoft's infrastructure, email security gateways, URL scanners, and even cautious end-users see nothing suspicious. The victim enters the device code displayed on screen, completes their normal MFA challenge on their authenticator app, and unknowingly grants a persistent OAuth access token to the attacker's registered application. The entire chain takes under ninety seconds.

EvilTokens: The Phishing Kit That Makes MFA Irrelevant

The EvilTokens platform first surfaced on Telegram on February 16, 2026. Unlike adversary-in-the-middle (AiTM) kits such as EvilProxy or Evilginx that proxy the authentication session in real time, EvilTokens abuses the OAuth 2.0 Device Authorization Grant flow — a legitimate protocol designed for devices without keyboards, like smart TVs and IoT equipment. The kit generates a fresh device code, embeds it in the calendar invite payload, and waits for the victim to authenticate. Once authenticated, Microsoft issues a valid OAuth refresh token to the attacker's application. This refresh token persists even if the victim subsequently changes their password, giving attackers indefinite access to email, SharePoint, OneDrive, and Teams data.

By March 19, security firm Huntress had confirmed 344 compromised organizations across the United States, Canada, Australia, New Zealand, and Germany. The actual number is believed to be significantly higher, with daily compromise rates in the hundreds. Financial services, legal firms, and healthcare organizations are disproportionately targeted due to the value of their data and their heavy reliance on Microsoft 365.

Why Traditional Defenses Fail Against This Attack

CalPhishing is designed to slip through every layer of conventional email security. Secure Email Gateways (SEGs) cannot flag the .ics attachment because calendar invitations are considered benign by default — blocking them would cripple normal business operations. URL reputation engines see only microsoft.com/devicelogin, which is a legitimate first-party Microsoft domain. Conditional Access policies tied to IP geolocation or device compliance often pass because the victim authenticates from their own trusted device and network. Even anti-phishing training that teaches employees to inspect sender addresses and hover over links fails here, because the malicious action is embedded in a calendar event that auto-populates without user interaction.

The persistence mechanism is equally difficult to detect. Stolen OAuth refresh tokens do not trigger alerts for failed login attempts, geographic anomalies, or password changes. The attacker accesses data through the Microsoft Graph API with a legitimate token, blending into normal M365 telemetry. Without specific monitoring for anomalous OAuth application grants, security operations centers (SOCs) may not detect the compromise for weeks or months.

Impact on Saudi Financial Institutions Under SAMA Regulation

Saudi banks, insurance companies, and fintech firms operating under SAMA's Cyber Security Framework (CSCC) face acute exposure to CalPhishing for several reasons. First, Microsoft 365 adoption across the Kingdom's financial sector is near-universal — Exchange Online, Teams, and SharePoint Online are the backbone of internal and external communication. A single compromised executive mailbox can expose merger discussions, regulatory correspondence with SAMA, client financial records, and board materials protected under PDPL (Personal Data Protection Law).

SAMA CSCC Domain 3 (Cyber Security Operations and Technology) explicitly requires organizations to implement robust identity and access management controls, including monitoring for unauthorized access patterns and anomalous authentication events. The NCA Essential Cybersecurity Controls (ECC) further mandate continuous monitoring of critical authentication infrastructure. An undetected CalPhishing compromise directly violates these requirements and could trigger regulatory action during SAMA's periodic cyber resilience assessments.

Moreover, PCI-DSS v4.0 Requirement 8.6, which governs authentication mechanisms for system components in the cardholder data environment, demands that authentication factors cannot be replayed or reused. OAuth token theft fundamentally violates this principle, putting PCI-DSS compliance at risk for any institution processing card data through M365-integrated systems.

Defensive Recommendations for CISOs and Security Teams

1. Restrict Device Code Authentication Flow: In Microsoft Entra ID (formerly Azure AD), create a Conditional Access policy that blocks the Device Code Flow for all users except those who genuinely require it (conference room displays, shared kiosks). This single control eliminates the primary attack vector.
2. Deploy OAuth Application Monitoring: Configure Microsoft Defender for Cloud Apps or a CASB solution to alert on new OAuth application consent grants, especially those requesting Mail.Read, Files.ReadWrite.All, or offline_access scopes. Review all existing third-party application consents and revoke any that are unrecognized.
3. Implement Token Protection (Preview): Microsoft's Token Protection feature binds access tokens to the specific device where authentication occurred. While still in preview, enabling this for pilot groups significantly reduces the value of stolen tokens.
4. Hunt for Anomalous Calendar Activity: Configure your SIEM (Sentinel, Splunk, or QRadar) to detect .ics attachments from external senders that contain URLs pointing to microsoft.com/devicelogin or common URL shorteners. Build correlation rules that flag device code authentication events followed by Graph API access from a different IP or device.
5. Harden Conditional Access Policies: Require compliant devices for all M365 access, enforce sign-in frequency limits to reduce refresh token lifetimes, and enable continuous access evaluation (CAE) to revoke tokens in near-real-time when risk signals change.
6. Update Security Awareness Training: Traditional phishing training does not address calendar-based attacks. Run a tabletop exercise simulating a CalPhishing attempt against your executive team, and update training materials to cover the specific indicators: unexpected calendar invitations with meeting links from unknown organizers, and any prompt asking to enter a code at microsoft.com/devicelogin.

Conclusion

CalPhishing represents a fundamental shift in how attackers approach credential theft — moving from cloned login pages to abuse of legitimate authentication protocols that MFA was never designed to protect against. For Saudi financial institutions, where M365 is deeply embedded in daily operations and where regulators demand demonstrable identity security controls, the risk is immediate and material. The good news is that the primary mitigation — blocking the Device Code Flow — is a single Conditional Access policy change that can be deployed in hours.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment and a targeted review of your Microsoft 365 authentication posture.