Educause Security Discussion mailing list archives
Re: Fake G-Suite Calendar Invites
From: Jesse Thompson <000000b6da97d697-dmarc-request () LISTSERV EDUCAUSE EDU>
Date: Mon, 2 Mar 2020 17:22:30 +0000
Hi Ron, This is very interesting. Did the attackers successfully update the event? They would at least need to know the event ID, which means that they were attendees or had access to the mailbox of an attendee. Based on feedback when CalConnect worked with M3AAWG on the calendar spam problem we realized that spoofing protection may be needed for the Organizer of events, since those don't need to match the From address (which is what DMARC protects). It makes me think that we should start logging the event Organizer in our mail logs so that we can start the track the level of spoofing. If we see an uptick in this trend, we could work with CalConnect to update the Calendar operator practices — Guidelines to protect against calendar abuse https://devguide.calconnect.org/Other-Topics/calendarspam/ https://standards.calconnect.org/csd/cc-18003.html Calendar operator practices — Guidelines to protect against calendar abuse<https://standards.calconnect.org/csd/cc-18003.html> Impact of calendar spam. Calendar spam is unique in a number of ways: Calendar spam, unlike email, can be placed chronologically anywhere in calendars, in the past or the future, not just the present, making it difficult for the end-user to detect at the time of delivery. standards.calconnect.org Jesse Thompson University of Wisconsin-Madison ________________________________ From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Ronald Loneker <rloneker () CSE EDU> Sent: Friday, February 28, 2020 9:38 AM To: SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Fake G-Suite Calendar Invites Good Morning - Over the last few weeks, we have had two instances (including early this morning) where members of our staff have received changes in calendar invites that were not sent by the organizer. Not sure if this is something that others have been noticing, and I'm not sure whether there is a method to inject malware in these fake calendar changes. I know we can check header information of e-mails but is there a way to look at calendar changes in a similar way? Ron Loneker, Jr. Director, IT Special Projects College of Saint Elizabeth Mahoney Library 2 Convent Road Morristown, NJ 07960 Phone: 973-290-4229<tel:973-290-4229> e-mail: rloneker () cse edu<mailto:rloneker () cse edu> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Fake G-Suite Calendar Invites Ronald Loneker (Feb 28)
- Re: Fake G-Suite Calendar Invites Frank Barton (Feb 28)
- Re: Fake G-Suite Calendar Invites Jesse Thompson (Mar 02)