File-based cyber-attacks are common practice for hackers to snick into companies’ data centers and networks. With research reporting over 10 billion malware attacks yearly it is clear that files remain hackers’ vector of choice that is here to stay.

By analyzing the different types of files used by cyber criminals, we see a clear preference for commonly used files (Office, PDFs, etc.) as they look innocent and legit to standard users.

One of the common files users send and receive on daily basis as part of their work are email calendar invites.

What is a calendar invite attack?

A calendar invite attack is used by threat actors as a phishing attempt to trick the targeted user to click on the invite file which contains a hidden malicious code embedded inside.

Once the targeted user clicks on the link or attachment, the hidden malware executes, infects the end device, and potentially can take control of the endpoint, exfiltrate information, encrypt files, and spread to other devices across the network.

It’s important to be cautious when receiving emails from unknown senders and to be wary of clicking on links or opening attachments from unknown sources. But when it comes to calendar invites, most users click and open these invites automatically; this is why hackers take advantage of this behavior and use this type of file to carry out their malware.

How do calendar invites bypass Antivirus?

Calendar invites should be similarly scanned by security tools as any other email message that arrives from internal or external resources. In reality, calendar invites containing embedded malware are easily bypassing antivirus software scanning in multiple scenarios. How come?

The answer is simple: Hackers take advantage of the security gaps anti-viruses have. Therefore, they embed in the calendar invite attachments containing malicious code that is considered “under the surface” of anti-viruses; meaning they either use encryption, hide the malware in nested files, or as a zero-day exploit.

Applying Deep File Analysis and CDR processes 

Content Disarm and Reconstruction (or CDR) is a preventative process of scanning files and neutralizing any potentially malicious code. This process provides deep analysis of files as it “breaks” the file into pieces and then creates a new copy of the original file, this time with neutralized active content (potential threat).

The CDR process focuses on verifying the validity of the file structure on the binary level and disarms both known and unknown threats. This process is very different from anti-virus and sandbox methods that scan for threats, detect a subset of malware, and block files. With CDR, all malware, including zero-days, is prevented and the user gets a safe copy of the originally infected file.

How to sanitize Microsoft 365 calendar invites?

FileWall™, a native security application for Microsoft 365 provides an effective file sanitization process for attachments across M365 business apps including Exchange-Online, SharePoint, OneDrive, and Teams. FileWall uses odix’s patented military-grade Deep File Analysis technology containing its TrueCDR™ algorithms. FileWall effectively eliminates active content from all commonly used files including attachments embedded in calendar invite messages. The entire sanitization process takes seconds and completely neutralizes the threat of malicious manipulation.

FileWall is available at the Microsoft marketplaces and offers a 30-day free trial. Sign up for a free trial here.