Google has made it simple to prevent unauthorized calendar invitations from being added to Google Calendar, frequently employed by threat actors in phishing and criminal activities. It was accomplished by enhancing the “Automatically add invites” feature, which now allows choosing whether invitations are added to the calendar automatically or only when the user answered (RSVP’d) to the email event invitation.
“We’ve improved the “Automatically add invitations” setting to help prevent unwanted invitations from being added to your calendar. These additional controls can help in managing your calendar with less manual work by ensuring unwanted events don’t appear, and you see only the events that are important to you,” Google explained.
This feature is OFF by default. Users can turn it on by going to Open Google Calendar > Go to settings > Scroll to event settings > Add invitations to my calendar.
The new capability began going out to Google Workspace customers, G Suite Basic and Business customers, and users with personal Google Accounts on a Rapid Release basis. Google is working on a fix to prevent spammers from automatically spamming Google Calendar users with fraudulent invitations for more than two years.
According to user reports, some of these spam events led prospective victims to phishing landing sites through malicious URLs, which seemed to be a harmless problem. These attacks aim to steal the victims’ credentials or infect them with malware through malicious websites.
At the time, the organization said that it was “aware of the spam occurring in Calendar” and that it was “working diligently to resolve this issue,” as well as providing instructions on how to report and delete spam calendar invitations.
Because Google Calendar is available as a web app on all desktop platforms and as a mobile app for Android and iOS, spammers can potentially reach many prospective victims.