How I almost fell for a Microsoft 365 Calendar invite scam

There’s a new phishing scam that’s sneaking past inbox filters in unexpected ways. Instead of sending suspicious links or obvious malware, this one uses something most people trust: calendar invites. Microsoft 365 and Outlook users are being targeted by a tactic that injects fake billing alerts directly into their calendars. Sometimes it includes malicious attachments, but in other cases, it exploits the default settings of calendars. Paul from Cape Coral, Florida, wrote us to share his experience:

“I had a very disturbing experience with a phishing attempt that almost had me hooked. I’m a Microsoft 365 subscriber and recently got the usual renewal emails. But a few days later, I started getting meeting invites saying my payment failed — they showed up directly on my calendar, even though I never opened or clicked anything. I got nervous when I tried to delete them and saw the only option was ‘delete and decline,’ which might have triggered a response to the attacker. I’ve never seen anything like this before.”

Paul verified his subscription status and avoided interacting with the event, which was the safest move, but his story highlights how easily this type of scam can slip through. Here’s how the attack works, and what to do if it shows up on your calendar.

Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts, and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – free when you join my CYBERGUY.COM/NEWSLETTER.

A woman using Microsoft 365 calendar. (Kurt "CyberGuy" Knutsson)

How the Microsoft 365 calendar invite scam works

This type of phishing combines fake calendar events, Microsoft branding, and social engineering tactics to trick users into handing over personal information or clicking on malicious content.

It starts with a fake billing alert: The message appears to be from Microsoft 365, warning that your subscription renewal has either failed or been renewed. Some versions include an .htm attachment designed to look like a billing portal that captures credit card details.

The calendar invite adds pressure: Many of these scams include a calendar file (.ics) that places the event directly on your calendar. If your Microsoft 365 or Outlook settings automatically accept invites, the event appears without you doing anything.

The event looks official: Titles like “Payment Failed” or “Account Suspended” are used to trigger a quick reaction. Even if you never click a link, just seeing the event may prompt panic or confusion.

Deleting can confirm your identity: If your only option is “Delete and Decline,” that sends a response back to the sender. This confirms that your email is active and being monitored, which makes you a bigger target.

Scammers use compromised domains: These events often come from addresses that appear legitimate at a glance but are actually sent through hijacked third-party domains like .shop sites. Some even pass basic security checks, making them harder to detect.

Why Microsoft 365 phishing invites bypass email filters

This tactic is effective because it exploits a loophole in how Microsoft 365 processes calendar invitations. Even if a phishing email is flagged or blocked, the calendar event associated with it can still appear on your calendar. Here’s how:

It bypasses traditional email filters: Tools like Microsoft Defender scan incoming messages for bad links and attachments, but in this case, the attacker sends a malicious calendar invite that gets processed by Microsoft’s backend calendar services. So even if the email itself gets caught, the event still lands on your calendar.

You don’t have to click or open anything: If your settings allow calendar invites to be added automatically, that fake billing alert can show up instantly, making it feel urgent and legitimate, especially when it looks like it’s from Microsoft.

It exploits trust in internal tools: Because the invite appears inside Microsoft 365 or Teams, tools you use every day, it feels more “real” than an email from a random domain. That trust is exactly what scammers are counting on.

Microsoft 365. (Kurt "CyberGuy" Knutsson)

What to do if you get a phishing calendar invite in Microsoft 365

If a suspicious calendar event shows up and you didn’t accept it yourself, do not interact with it. Don’t click links, don’t download attachments, and don’t decline the invite; even that response can confirm your email is active.

Outlook is Microsoft’s interface for managing email and calendar events, and it comes in several different versions. The instructions below cover all three:

• New Outlook: The modern web-based and desktop app bundled with Microsoft 365 (formerly Office 365). Most users on Microsoft 365 today are using the new Outlook.
• Classic Outlook: The older desktop version (common in corporate setups) with more granular calendar settings.
• Outlook.com: The free personal version of Outlook that you access through a web browser. It shares many features with the new Outlook, but some settings are unique to the web version.

Most people using Microsoft 365 today are on the new Outlook. Here’s what to do next, depending on your version:

A woman using Microsoft 365 on her laptop. (Kurt "CyberGuy" Knutsson)

1) Don’t click or decline the phishing calendar invite

It might be tempting to hit “Decline” and move on, but that can actually send a response back to the attacker, letting them know your account is active. Previewing the event is generally safe, but avoid clicking links, opening attachments, or interacting with it in any way. 

2) How to delete a phishing calendar event without alerting the attacker

New Outlook (desktop or web): This version no longer offers a “delete without response” option from the calendar view, making it trickier to handle suspicious invites. Here’s what you can do instead:

• Option 1: Leave it alone – If the event is already on your calendar and there’s no inbox email to ignore, your safest bet is to leave it untouched. Even if you uncheck “Email organizer,” it still logs your RSVP. In the new Outlook, there’s no way to fully disable this tracking.

Option 2: Use “Ignore” from the inbox – This won’t necessarily remove the event from your calendar, but it’s a helpful way to get rid of the email without sending a response.

• Go to your Inbox view (not your calendar)
• Find the calendar invite email
• Right-click and choose Ignore

This will move the email to your Trash without sending any response or showing RSVP tracking. However, in some cases, the event may remain on your calendar, and you can delete it manually afterward. Based on testing, this usuallydoesn’t notify the sender, but there is still no guarantee that RSVP tracking is avoided. If the invite is still on your calendar, the safest approach is to leave it.

Note: The “Ignore” option is only available in the inbox/mail view. If you try to manage the invite from the calendar view, your only options are Accept, Tentative, or Decline, all of which either notify the sender or leave behind RSVP tracking. 

Classic Outlook desktop (older version)

This version still gives you a clean, no-reply option:

• Right-click the event in your calendar
• Choose Delete
• Select “Do not send a response” when prompted

This removes the invite without alerting the sender or recording your RSVP.

3) Change Outlook settings to block calendar spam and phishing invites

New Outlook

Unfortunately, there is no way to prevent meeting invites from being automatically added to your calendar. Microsoft removed this control in newer versions, and users can only limit certain types of “Events from email” (such as travel reservations), not actual meeting invites.

Classic Outlook desktop

You can limit auto-processing of invites so Outlook doesn’t automatically add them:

• Go to File > Options > Mail
• Scroll to the Tracking section
• Uncheck “Automatically process meeting requests and responses to meeting requests and polls”

This doesn’t block invites completely, but it stops Outlook from acting on them without your input.

4) How to report a phishing calendar invite without alerting the sender

If the event also appeared in your inbox, you can report it using Outlook’s built-in phishing tool.

New Outlook

• Select the invite from your inbox
• In the toolbar ribbon, go to Home > Report > Report phishing
• Or right-click the email and choose Report > Phishing

Do not forward the invite from the calendar, as this may notify the sender and confirm your account is active.

If the phishing report button doesn’t work, you can email a report to phish@office365.microsoft.com. To do this safely:

• Open the email in your inbox view
• Click the three dots on the top right of the message
• Select Other reply actions > Forward as attachment

This method forwards the email as an attachment, avoiding the risk of sending the actual invite and notifying the sender.

Classic Outlook

• Go to your Inbox
• Open the calendar invite email (don’t just select it from the inbox)
• In the top ribbon, click Report phishing or Report message

To manually forward it to Microsoft:

• Open the email in your Inbox view
• Click the three dots on the top right of the message > Forward as attachment
• Send to phish@office365.microsoft.com

Again, do not forward directly from the calendar. Always forward from the inbox view using “Forward as Attachment” to avoid interacting with the calendar invite or notifying the sender. 

5) Check your Microsoft account for signs of phishing or hacking and install strong antivirus

Even if you didn’t interact with the invite, it’s smart to review your account just in case:

• Go to mysignins.microsoft.com
• Review your recent sign-ins and devices
• Change your password if anything looks off
• Make sure two-factor authentication (2FA) is turned on

Once you’ve checked your account activity, it’s also worth strengthening your defenses moving forward. The best way to safeguard yourself from malicious links that install malware, potentially accessing your private information, is to have strong antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe. 

Get my picks for the best 2025 antivirus protection winners for your Windows, Mac, Android & iOS devices at CyberGuy.com/LockUpYourTech.

6) Monitor your identity after a phishing attempt

If your email or login info has been exposed, scammers may try again later. Use an identity protection service to scan the dark web for leaked credentials and alert you before they can be misused.

Identity Theft companies can monitor personal information like your Social Security Number (SSN), phone number, and email address, and alert you if it is being sold on the dark web or being used to open an account.  They can also assist you in freezing your bank and credit card accounts to prevent further unauthorized use by criminals. 

See my tips and best picks on how to protect yourself from identity theft at Cyberguy.com/IdentityTheft.

7) Remove your personal info from data broker sites to avoid future scams

Scammers often buy personal information from data broker sites, which makes it easier for them to target you again later. A removal service can help stop that by automatically scanning and deleting your data from hundreds of these sites. 

Check out my top picks for data removal services and get a free scan to find out if your personal information is already out on the web by visiting Cyberguy.com/Delete.

Get a free scan to find out if your personal information is already out on the web: Cyberguy.com/FreeScan.

Kurt’s key takeaways

If a suspicious event suddenly shows up on your calendar, avoid interacting with it. That means no clicking, no declining, and no replies of any kind. Just opening the event is usually safe, but responding in any way can let scammers know your account is active. The new Outlook versions make this harder to manage, so the safest move is to leave the event alone, report it from your inbox, and double-check your account security. Until Microsoft adds stronger controls, calendar scams will continue to sneak through, but a few careful steps can keep you protected.

What responsibility does Microsoft have to protect users from security flaws in its own ecosystem, especially when default settings can expose people to phishing attacks without their knowledge? Let us know by writing to us at Cyberguy.com/Contact.

Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts, and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – free when you join my CYBERGUY.COM/NEWSLETTER.

Copyright 2025 CyberGuy.com. All rights reserved.