Fortra: Calendar Phishing & ConsentFix: New Microsoft Account Threats

Name: Fortra: Calendar Phishing & ConsentFix: New Microsoft Account Threats
Uploaded: 2026-06-20T07:05:35-04:00
Duration: 1 min 53 s
Description: TL;DR Attackers are shifting from email-based phishing to 'calphishing' — using calendar invites as the primary entry point to target Microsoft accounts in less scrutinized environments. The technique combines calendar phishing with ConsentFix (devic...

Fortra

06/20/2026

0 (0%)

Report Like Favorite

TL;DR

Attackers are shifting from email-based phishing to 'calphishing' — using calendar invites as the primary entry point to target Microsoft accounts in less scrutinized environments.
The technique combines calendar phishing with ConsentFix (device code phishing) to capture session tokens through legitimate Microsoft authentication workflows, effectively bypassing MFA protections.
Campaigns show strong links to EvilTokens, an AI-enabled phishing-as-a-service platform that's rapidly gaining adoption among threat actors targeting enterprise Microsoft environments.

Summary

This threat intelligence briefing introduces a new phishing technique called 'calphishing' that exploits calendar invites to bypass traditional email security controls. Threat actors are combining calendar-based attacks with ConsentFix (device code phishing) to target Microsoft accounts, leveraging legitimate authentication workflows to capture session tokens and achieve account takeover while bypassing MFA protections. The technique is linked to EvilTokens, an AI-enabled phishing-as-a-service platform that's gaining rapid adoption. Unlike email-based phishing, calendar invites land in a less scrutinized environment and can persist even after the original email is deleted, creating multiple opportunities for user interaction. The presentation outlines how attackers abuse ICS files, manipulate Microsoft's authentication workflows, and evade standard email-focused detection systems. Organizations are advised to review the full technical analysis, IOC list, and mitigation guidance available in Fortra's detailed blog post to understand and defend against this emerging threat vector.

Chapters

0:00 - Introduction to Calendar Phishing
0:18 - Threat Intelligence Report Overview
0:44 - ConsentFix and EvilTokens Connection
1:25 - Technical Breakdown and Mitigation

Key Quotes

0:09 "Here's an interesting shift that's happening in the phishing space right now, and it starts with something that people don't really question, which is calendar invites."
0:28 "We're seeing attackers move away from traditional email-based alerts into newly discovered calphishing technique."
1:01 "The techniques help users legitimate Microsoft authentication workflows to capture session tokens and ultimately lead to account takeover, effectively bypassing MFA protections."

FAQ

How does calphishing differ from traditional email phishing?

Calphishing uses calendar invites as the primary attack vector rather than email messages. Calendar invites land in a less scrutinized environment, can persist even after emails are deleted, and bypass many email-focused security controls that organizations rely on to detect phishing attempts.

Can MFA protect against ConsentFix attacks?

No, ConsentFix (device code phishing) is specifically designed to bypass MFA protections by capturing session tokens through legitimate Microsoft authentication workflows. Once attackers obtain these tokens, they can access accounts without needing to defeat MFA directly.

Categories:

» Data Protection

Tags:

Show more Show less

Browse videos

Upcoming Webinar Calendar

06/23/2026

01:00 PM

06/23/2026

The AI-Powered VMware Alternative

https://www.truthinit.com/index.php/channel/2009/the-ai-powered-vmware-alternative/
06/24/2026

11:00 AM

06/24/2026

LATAM: Accelerating Insights on AI Through an Engaging Webinar Series

https://www.truthinit.com/index.php/channel/2012/accelerating-insights-on-ai-through-an-engaging-webinar-series/
06/25/2026

01:00 PM

06/25/2026

Generative AI Security: Preventing AI from Becoming a Data Breach Multiplier

https://www.truthinit.com/index.php/channel/1998/generative-ai-security-preventing-ai-from-becoming-a-data-breach-multiplier/
06/30/2026

01:00 PM

06/30/2026

Mastering Active Directory Certificate Services for Long-Term Success

https://www.truthinit.com/index.php/channel/2018/mastering-active-directory-certificate-services-for-long-term-success/
07/01/2026

04:00 AM

07/01/2026

Integrating Security in AI: Automated Red Teaming Strategies for Private Models

https://www.truthinit.com/index.php/channel/1969/integrating-security-in-ai-automated-red-teaming-strategies-for-private-models/
07/01/2026

04:00 AM

07/01/2026

Schutz von KI in Anwendungen, Agenten und APIs.

https://www.truthinit.com/index.php/channel/2008/schutz-von-ki-in-anwendungen-agenten-und-apis/
07/01/2026

01:00 PM

07/01/2026

How to Prevent Your AI from Taking Control of You

https://www.truthinit.com/index.php/channel/2021/how-to-prevent-your-ai-from-taking-control-of-you/
07/02/2026

10:00 AM

07/02/2026

When the cloud goes dark: Resilience lessons from hybrid threats

https://www.truthinit.com/index.php/channel/2011/resilience-insights-from-hybrid-threats-when-the-cloud-faces-challenges/
07/07/2026

01:00 PM

07/07/2026

A Comprehensive Demonstration of DLP Solutions and Strategies

https://www.truthinit.com/index.php/channel/2030/a-comprehensive-demonstration-of-dlp-solutions-and-strategies/
07/09/2026

01:00 PM

07/09/2026

Agentic Trust in Practice: Enhancing the Human Experience

https://www.truthinit.com/index.php/channel/2026/agentic-trust-in-practice-enhancing-the-human-experience/
07/14/2026

11:00 AM

07/14/2026

Discover the Latest Innovations in Netwrix 1Secure During This Technical Session

https://www.truthinit.com/index.php/channel/2014/discover-the-latest-innovations-in-netwrix-1secure-during-this-technical-session/
07/21/2026

04:00 AM

07/21/2026

Strategies for Managing AI Governance and Securing App-to-LLM API Traffic

https://www.truthinit.com/index.php/channel/1967/strategies-for-managing-ai-governance-and-securing-app-to-llm-api-traffic/
07/21/2026

01:00 PM

07/21/2026

HUMAN Dialogue: Insights from Attackers Revealed at the FIFA World Cup

https://www.truthinit.com/index.php/channel/2029/human-dialogue-insights-from-attackers-revealed-at-the-fifa-world-cup/
07/22/2026

06:30 AM

07/22/2026

Understanding the Dynamics of Data Privacy and Protection Regulations

https://www.truthinit.com/index.php/channel/2000/understanding-the-dynamics-of-data-privacy-and-protection-regulations/
07/28/2026

01:00 PM

07/28/2026

Illumio: Zero Trust in the Age of AI Autonomy

https://www.truthinit.com/index.php/channel/2031/illumio-zero-trust-in-the-age-of-ai-autonomy/
07/29/2026

04:00 AM

07/29/2026

Real-Time Strategies for Safeguarding Against Prompt Injections

https://www.truthinit.com/index.php/channel/1968/real-time-strategies-for-safeguarding-against-prompt-injections/
09/30/2026

04:00 AM

09/30/2026

AI Command Center: Optimizing Visibility and Control in Your Operations

https://www.truthinit.com/index.php/channel/2024/ai-command-center-optimizing-visibility-and-control-in-your-operations/