Fortra Intelligence and Research Experts (FIRE) have identified a new phishing campaign that is expanding beyond traditional email, using calendar invites (.ics files) to introduce malicious content into trusted workflows. FIRE link the activity to the EvilTokens phishing kit, combining ConsentFix (device code phishing) with calendar‑based delivery to capture Microsoft session tokens through legitimate authentication prompts.
Most notable about this campaign is the shift in delivery and persistence: the calendar entry remains visible and active even if the original email is removed, extending the window for user interaction. If the attack is executed successfully, the impact can be significant. Compromised tokens can enable account takeover, unauthorized access to cloud systems, lateral movement, and follow‑on phishing or infrastructure disruption, particularly if privileged accounts are involved.
The full report was just published here: https://www.fortra.com/blog/new-calendar-invite-phishing-campaign-ics-abuse-and-post-delivery-persistence
Related
This entry was posted on May 14, 2026 at 12:18 pm and is filed under Commentary with tags Fortra. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
New CalPhishing Campaign tied to EvilTokens uses ConsentFix
Fortra Intelligence and Research Experts (FIRE) have identified a new phishing campaign that is expanding beyond traditional email, using calendar invites (.ics files) to introduce malicious content into trusted workflows. FIRE link the activity to the EvilTokens phishing kit, combining ConsentFix (device code phishing) with calendar‑based delivery to capture Microsoft session tokens through legitimate authentication prompts.
Most notable about this campaign is the shift in delivery and persistence: the calendar entry remains visible and active even if the original email is removed, extending the window for user interaction. If the attack is executed successfully, the impact can be significant. Compromised tokens can enable account takeover, unauthorized access to cloud systems, lateral movement, and follow‑on phishing or infrastructure disruption, particularly if privileged accounts are involved.
The full report was just published here: https://www.fortra.com/blog/new-calendar-invite-phishing-campaign-ics-abuse-and-post-delivery-persistence
Share this:
Like this:
Related
This entry was posted on May 14, 2026 at 12:18 pm and is filed under Commentary with tags Fortra. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.