Is your digital calendar putting you at risk?

New research from Bitsight finds that events synced in your digital calendar could be exposing you to phishing, malware and AI jailbreak attacks.

Bitsight’s TRACE research team discovered more than 390 abandoned domains related to iCal sync requests for subscribed calendars, potentially putting around four million devices at risk.

Specifically, the report reveals that malicious actors are exploiting the high level of trust users place in their digital calendars. By setting up dedicated infrastructure and leveraging abandoned domains, they trick users into subscribing to notifications, then use the calendar sync function to push events containing malicious links and attachments directly into their schedule -- an attack far stealthier than traditional phishing.

Users and organizations are generally unaware that calendar events can be exploited, and this misplaced trust, combined with an unexpected attack vector, creates a powerful entry point for attackers.

Calendar subscriptions can come from many sources, for example a website might require users to subscribe to a calendar in order to access special promotions. Mobile applications, such as mobile games, may encourage the subscription of a calendar that delivers reminders for in-game events or exclusive advantages. Even e-mail invitations can be crafted to appear as professional meetings or personal events, enticing the recipient to accept without suspicion.

Once a calendar has been subscribed to, the device will continue to automatically make sync requests to the domain, allowing cybercriminals to exploit ongoing calendar subscriptions to promote content to users without requiring any approval.

While Google Calendar proxies the sync requests, iCalendar doesn’t. Google’s proxy-based sync design adds an important layer of protection by limiting direct client interaction with calendar domains.

The report’s authors conclude:

Our research shows that millions of devices sync daily with calendar servers weaponized by threat actors. The risks range from phishing and malware distribution to JavaScript execution and innovative attacks that exploit emerging technologies such as AI assistants.

Major platform providers like Apple and Google have made significant strides in securing their ecosystems. Our findings highlight areas where emerging risks, like calendar-based abuse, may not yet be fully addressed, despite strong security postures elsewhere.

Awareness and defenses of calendar subscriptions should be more robust, especially when compared to well-monitored and protected email solutions. The current imbalance creates a dangerous blind spot in both personal and corporate security postures.

You can read more along with examples of attacks and how to guard against them on the Bitsight blog.

Image credit: Rawpixel/depositphotos.com