The Google Workspace team announced today that it started rolling out a new method to block Google Calendar invitation spam, available to all customers, including legacy G Suite Basic and Business users.
“To help keep your Google Calendar free from spam, you can now select an option to display events on your calendar only if they come from a sender you know,” the Google Workspace team said today.
“If you select this option, you still get email event invitations from unknown senders, but they appear on your calendar only after you accept.”
According to Google, known senders that you would receive invitations from include people in your same company domain, in your contacts list, or with whom you’ve interacted before.
After rolling out, Google Workspace admins can change from the default option allowing invitations from everyone to the new option at the domain level.
Adds to previously released block options
As we previously reported in 2019, Google has been working on solutions to block bad actors from spamming Google customers with malicious calendar invites.
Two years later, the company finally made it easy to block unwanted invitations by adding a new “Automatically add invitations” setting, allowing only those previously accepted via email (RSVP’d) instead of having all invitations automatically added to the default calendar.
“As before, you can also choose to have all invitations appear on your calendar, or only those you’ve accepted—letting you customize the display to best meet your needs,” Google added.
“Additionally, admins can set the default reply option for their users in the Google Admin console. Note that end users can indicate their preference in their own Calendar settings.”
Such unwanted calendar invitations are commonly used by threat actors in phishing and malicious campaigns targeting Google Calendar users.
Phishing campaigns that can reach massive numbers of targets
While, for many, invitation spam might seem to be a harmless issue, spam calendar events can be used to redirect targets to phishing landing pages via malicious URLs.
The end goal of these attacks is to harvest the victims’ credentials or, even worse, infect them with malware that could be used to steal sensitive information or deploy additional malicious payloads.
Since Google Calendar is available for all popular platforms (either as a web or mobile app), such spam campaigns can potentially reach a massive number of potential victims.
To get an idea of how many targets such an attack could reach, the Google Calendar Android app alone has been downloaded more than 1 billion times, according to the app’s Google Play Store entry.