One showed up on my calendar this morning. 9:00 AM, labeled "Billing Confirmation — PayPal to place your order — 499.99 USD Support (U.S.): +1 (805) 661-4968." I never opened an email. I never clicked Accept. It just appeared.

I do this work for a living, and this one still made it onto my calendar before I had coffee. That's the point of the attack — it's designed to bypass judgment entirely and bait a phone call before you're awake enough to think twice.

If you run your business on Google Workspace or Microsoft 365, you've seen one of these or you're about to. Here's how it works, why it's dangerous, and how to shut it down for good — on both platforms.

How the scam works

The attacker sends a calendar invite — not an email, a calendar invite — addressed to a list of harvested email addresses. In Google Calendar's default configuration, and in Outlook's default behavior, meeting invitations populate your calendar before you ever open the email. The invite is styled to look like a legitimate billing confirmation from a recognizable brand: PayPal, Norton, Geek Squad, McAfee, or a generic "Identity Protection Service." The "invoice" shows a charge in the $300–$500 range, a professional-looking invoice number, a "Paid" status marker, and — the entire point of the exercise — a toll-free phone number.

The message tells you to call the number if you didn't authorize the charge.

Why the phone number is the trap

There is no charge. The invoice is fabricated. The logos are lifted. The "Paid" status marker is a graphic, not a transaction.

When you call the number, one of three things happens:

1. Remote access scam. The "support agent" walks you through installing a remote desktop tool — AnyDesk, TeamViewer, or similar — under the pretext of "processing your refund." Once connected, they'll drain bank accounts you're logged into, install persistent malware, or pivot to other machines on your network.
2. Gift card or wire scam. You're told the "refund" requires verification — purchase gift cards, read off the numbers, wire funds to a "holding account." The money is gone the moment the numbers leave your mouth.
3. Data harvesting. Even if they don't get money in the first call, they now have your voice, your name, your account details, and enough context to run targeted follow-on attacks for months.

The invite body itself rarely carries executable malware. The phone number is the weapon. One secondary risk worth naming: some of these invites hide malicious URLs in the event's location or description fields. Never click links inside an unsolicited calendar event, and never copy-paste one into a browser.

If one lands on your calendar

Three rules:

1. Do not call the number. Ever. Not to verify, not to complain, not to ask them to stop. The number exists for exactly one reason.

2. Do not click Accept, Decline, or Maybe. This is counterintuitive. Instinct says "decline and get it off my calendar." But every response — every response, including Decline — pings the sender's server and confirms your address is live and monitored. That puts you on a prioritized target list for follow-on attacks.

3. Delete the event and report the sender as spam. Delete the event from your calendar without responding, then report the underlying email as spam. That removes the invite without confirming your address.

If you already called the number — stop using that device for sensitive work. Change passwords on any accounts accessed from that machine, from a different device. If you installed anything the caller asked you to install, assume the device is compromised and get it professionally cleaned before trusting it again. No shame in it. These scams are engineered to get past careful people.

Prevent it: Google Workspace / Gmail

Google Calendar, by default, auto-adds invitations from anyone. That's the setting that lets spam invites appear on your calendar before you've seen the email. Change it once and you're done.

On desktop (calendar.google.com):

1. Click the gear icon (top right) → Settings
2. In the left sidebar under General, click Event settings
3. Find "Add invitations to my calendar"
4. Change it from From everyone to "When I respond to the invitation in email"

On the Google Calendar mobile app:

Menu (☰) → Settings → General → Add invitations to my calendar → "When I respond to the invitation in email"

The trade-off: legitimate invites from people you haven't corresponded with before now arrive only as email. You have to click "Yes" in the email to get them on the calendar. For most business users this is a net win. If your work involves receiving invites from strangers regularly — event coordinators, sales reps, recruiters reaching out cold — you'll want to know this is the new behavior.

The change only applies to future invitations. Anything already sitting on your calendar has to be deleted manually.

Prevent it: Microsoft 365 / Outlook

Microsoft's side of this is messier. Spam calendar invites are a well-documented, ongoing problem on Outlook, and Microsoft has not shipped a general user-facing fix. The settings that do exist are split across Outlook desktop, Outlook on the web, and tenant-level admin controls — and they don't all work the same way.

Here's the practical path for each scenario.

Outlook desktop (Classic Outlook for Windows)

This stops Outlook from automatically processing meeting invitations into tentative calendar entries.

1. File → Options → Mail
2. Scroll to the Tracking section
3. Uncheck "Automatically process meeting requests and responses to meeting requests and polls"
4. While you're there, under Send messages, check "Delete meeting requests and notifications from Inbox after responding"
5. Click OK

Then:

1. File → Options → Calendar
2. Under Automatic accept or decline, click the button of the same name
3. Uncheck "Automatically accept meeting requests and remove canceled meetings"

After this change, meeting invites stay in your inbox as emails until you manually accept them. Trade-off: you lose automatic updates to existing meetings — if an organizer reschedules, you'll have to process the change yourself.

Outlook on the web / New Outlook

1. Click the gear icon (top right) → View all Outlook settings (if shown)
2. Go to Calendar → Events from email
3. For each category (flights, hotels, packages, reservations), set to "Don't show event summaries in email or on my calendar"

Be aware: this setting primarily controls auto-parsed events from legitimate emails — your airline sending a flight confirmation, for example. It does not fully stop spam meeting invites from appearing on the calendar. That's a separate, deeper issue Microsoft hasn't resolved at the user level.

Microsoft 365 administrators

If you manage a tenant and want to apply this for a user who's getting hammered, the PowerShell is:

Connect-ExchangeOnline -UserPrincipalName youradmin@yourdomain.com
Set-CalendarProcessing -Identity user@yourdomain.com -AutomateProcessing None


This disables automatic processing for that mailbox. Meeting invites stay as emails until the user accepts them manually. Same trade-off as the desktop setting: no auto-updates for existing meetings. Test on one mailbox before rolling it out broadly — AutomateProcessing None changes how Exchange handles every calendar message to that account.

For organizations on Microsoft Defender for Office 365, the stronger controls are:

• Tighten anti-phishing policies in the Defender admin center
• Add a mail flow rule that blocks external calendar invites by default (message type: Schedule.Meeting.Request), with explicit allowlist exceptions for trusted partners
• Review Microsoft's enhanced calendar remediation guidance on the Defender for Office 365 blog

If you're a DeSoto Consulting client and want this configured for your organization — across users, tenants, and managed devices — reach out and we'll scope it.

The bigger picture

This attack works because calendar platforms were designed for a world where nobody sent spam as meeting invites. That world is gone. Any system that auto-accepts input from anonymous senders and places it directly into your workflow will eventually be weaponized. Calendar invites today. Document share links yesterday. Something else tomorrow.

The defensive posture is the same across all of them: reduce what auto-populates, verify what lands, and never trust a phone number that arrived in an unsolicited message. If you need to verify a charge, go to the vendor's real website or call the number on the back of your card. Never the number in the message.

Most firms won't tell you this until it becomes a headline. We'd rather tell you now. Two minutes of settings changes today is worth more than an incident report tomorrow, and honest work means warning people before the trap closes, not after.

Think someone on your team already called one of these numbers? Or want the Outlook and Google settings configured across your whole organization? Reply to this post, or reach me directly.

Sergio DeSoto
DeSoto Consulting LLC
sergio@desoto.io

‍