The Office of Information Technology has identified a new phishing campaign that targets Google Calendar.
Attackers are using Google’s automatic meeting invite feature to send malicious calendar events that appear directly on user calendars, even when the related emails have been quarantined. These events may contain phishing links or malware disguised as legitimate meeting details.
Because Gmail and Google Calendar function as separate but connected services, blocking suspicious emails alone does not prevent the calendar entries from appearing. After consulting with peer institutions and reviewing Google’s recommendations, we are taking steps to reduce this risk.
As of October 28, the default invitation setting in Google Calendar for all faculty and staff has changed. Only calendar invitations from people you’ve previously interacted with will appear automatically on your calendar.
If someone new sends you an invitation, you’ll see a one-time message:
“This event isn’t in your calendar yet. You haven’t interacted with this sender before. Do you want to automatically add this and future invitations from them to your calendar?”
You can then select I know the sender (to allow future invitations) or Report spam if it looks suspicious.
This update provides a balance between convenience and security. It helps prevent unwanted or malicious calendar events while still allowing legitimate invitations once you’ve confirmed the sender.
If you have questions or need assistance, please contact the Help Desk at (208) 426-4357 or email helpdesk@boisestate.edu.