Drive By Meeting Invitations
Posted by jamesgamble@reddit | sysadmin | View on Reddit | 34 comments
We're getting hammered with unsolicited meeting invitations. Someone has figured out our email naming scheme and is blasting calendar invites that appear directly in our users' calendars.
We're on M365 with Proofpoint Essentials as our gateway. I've been going down a rabbit hole trying to find a filter-based solution, but keep hitting dead ends.
I'm curious how other orgs are dealing with this. Is there a clean solution I'm missing, or is everyone just living with it?
Proud-University593@reddit
Sounds like thats bypassing your email filters entirely. We have Abnormal AI and it detects these at the behavioral layer by recognizing that the invite patterns don't match any established relationship between sender and recipient.
The Set-Calendar Processing fix helps but you still want something catching the underlying pattern.
ntrlsur@reddit
I always tell all of my users to accept the invite and just don't go. If you are going to send me an unsolicited invite I might as well waste your more of your time then you do of mine. When they send the sorry we missed you and send an unsolicited invite for the reschedule then accept that one and don't go as well. After 2 or 3 they get the hint...
kagato87@reddit
Accept and delete without sending a response. If they email, say "sorry reschedule?"
Repeat.
ImOutToday@reddit
New outlook doesn’t allow you to decline with no response.
Ok-Double-7982@reddit
I never accept or decline it. I don't want any acknowledgment that I saw it. I let it sit and just never answer emails and never show up.
ntrlsur@reddit
Maybe its because I'm an asshole.. But I do enjoy wasting peoples time that waste mine.. Maybe its a spite thing..
vawlk@reddit
anyone who sends unsolicited invitations gets blocked permanently.
dflek@reddit
Just block the domain they're coming from?
TerrificVixen5693@reddit
But what is an ACL? I’ve been down a google rabbit hole trying to figure out what it means and what it does.
MBILC@reddit
If you do not know what an ACL is, why are you managing IT infra? Is this your actual job, or were you just tossed into it?
ACL - Access Control List.
thebigshoe247@reddit
Probably an IT Manager
slippery_hemorrhoids@reddit
Hey now, I'm pretty sure that's the thing you tear in your knee!
TerrificVixen5693@reddit
Guess the joke went over your head, too.
anonymousITCoward@reddit
Nothing goes over my head... I'm too fast for that.
thebigshoe247@reddit
Just crushing it.
TerrificVixen5693@reddit
I guess the joke went over your head?
MBILC@reddit
It did, because the way it was written sounds like many "apparent" sysadmins that post on here sometimes :D
GullibleDetective@reddit
Baby don't hurt me!
ShoulderChip4254@reddit
How does he not know that?
jamesgamble@reddit (OP)
I do know that, the problem is that the attacker is using random Gmail accounts, and we have a legitimate need to be able to receive mail from Gmail.com
bageloid@reddit
It do you need calendar invites from Gmail?
jamesgamble@reddit (OP)
The attacker is using random Gmail accounts. We have a legitimate need to be able to receive mail from Gmail.com.
dflek@reddit
Are your users marking the invites as spam and blocking the sender? Should've take long to teach the spam filter about what is / isn't junk.
nav13eh@reddit
It's likely they either come from a common domain which cannot be realistically blocked (gmail.com or outlook.com) and/or the attack comes from thousands of randomly generated addresses/domains.
In other words, it may be impossible to simple block so easily.
jamesgamble@reddit (OP)
Yep, that's the problem. It's a lot of random Gmail.com accounts. We're a nonprofit, and many of our external contacts are donors who use Gmail.
Kardinal@reddit
Exactly my thought.
dartdoug@reddit
I can't fathom how this kind of deception would result in a sale...ever. The sender is using deceptive tactics to get your eyes on their product. And that means that after you buy their product/service they are going to stop being deceptive?
littleko@reddit
i ran into this too at a previous gig. the problem is exchange online auto-adds calendar invites by default, which is honestly wild.
the fix is to change the calendar processing settings so invites don't get auto-added. you can do this in powershell with
Set-CalendarProcessingor push it org-wide through OWA mailbox policies. set it so invites land in the inbox as regular emails instead of going straight to the calendar.on the proofpoint side you could also try writing a content filter that catches common patterns in these spam invites (like specific subject lines or sender domains), but the calendar processing change is what actually solved it for us.
jamesgamble@reddit (OP)
This sounds like it may be the answer. Thanks for the heads up.
Prestigious-Past6268@reddit
We are a gmail outfit and had the option to block external invites from showing up on calendars until they were accepted via the links in the original email invitations. This was super helpful because the emails could be filtered to spam, blocked or retracted.
jamesgamble@reddit (OP)
Thanks for the idea. I'll check out the MS tooling.
itishowitisanditbad@reddit
Accept everything, never join/meet/reply to anything, keep accepting.
Its best if you redirect everything from their domain to a singular 'pit' account which autoaccepts.
Best bet is setting up a phone number with the most annoying endless wait music possible and the pit account has it.
After a while it turns out they stop, not that you'll ever even know its happening anymore.
Its fun. Turns the inconvenience around.
MBILC@reddit
Block em, report them to your local spam act department (wont do anything) and move on. Some could also be malicious.
anpr_hunter@reddit
Domain-level block, complaint to sender's MX provider, burning bag of dog poo in their office lobby.