Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Fake G-Suite Calendar Invites

From: Jesse Thompson <000000b6da97d697-dmarc-request () LISTSERV EDUCAUSE EDU>
Date: Mon, 2 Mar 2020 17:22:30 +0000
Hi Ron,

This is very interesting.

Did the attackers successfully update the event?  They would at least need to know the event ID, which means that they 
were attendees or had access to the mailbox of an attendee.

Based on feedback when CalConnect worked with M3AAWG on the calendar spam problem we realized that spoofing protection 
may be needed for the Organizer of events, since those don't need to match the From address (which is what DMARC 
protects).  It makes me think that we should start logging the event Organizer in our mail logs so that we can start 
the track the level of spoofing.

If we see an uptick in this trend, we could work with CalConnect to update the Calendar operator practices — Guidelines 
to protect against calendar abuse

https://devguide.calconnect.org/Other-Topics/calendarspam/

https://standards.calconnect.org/csd/cc-18003.html
Calendar operator practices — Guidelines to protect against calendar 
abuse<https://standards.calconnect.org/csd/cc-18003.html>
Impact of calendar spam. Calendar spam is unique in a number of ways: Calendar spam, unlike email, can be placed 
chronologically anywhere in calendars, in the past or the future, not just the present, making it difficult for the 
end-user to detect at the time of delivery.
standards.calconnect.org

Jesse Thompson
University of Wisconsin-Madison
________________________________
From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Ronald Loneker 
<rloneker () CSE EDU>
Sent: Friday, February 28, 2020 9:38 AM
To: SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Fake G-Suite Calendar Invites

Good Morning -

Over the last few weeks, we have had two instances (including early this morning) where members of our staff have 
received changes in calendar invites that were not sent by the organizer.

Not sure if this is something that others have been noticing, and I'm not sure whether there is a method to inject 
malware in these fake calendar changes.

I know we can check header information of e-mails but is there a way to look at calendar changes in a similar way?

Ron Loneker, Jr.
Director, IT Special Projects
College of Saint Elizabeth
Mahoney Library
2 Convent Road
Morristown, NJ  07960

Phone:  973-290-4229<tel:973-290-4229>

e-mail:  rloneker () cse edu<mailto:rloneker () cse edu>








**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community
Previous By Date Next
Previous By Thread Next

Current thread: