Attackers are now embedding phishing links inside Google Calendar invites disguised as invoice and payment reminders, and the fake events can appear on a user’s calendar even when the associated email never reaches an inbox. At least three major U.S. research institutions have issued security alerts about the tactic, warning staff and students that default calendar settings leave them exposed. The threat is especially acute at universities and national laboratories, where shared calendars are woven into daily workflows and a single compromised credential can open doors to sensitive research networks.
How fake calendar invites bypass email filters at labs and universities
The core problem is a gap between email security and calendar functionality. Most organizations have invested heavily in spam filters and email quarantine systems, but Google Calendar operates on a separate track. When an attacker sends a meeting invitation with a malicious link in the title or description, the calendar app can automatically add it as an event, even if the email carrying that invitation gets flagged or blocked. Lawrence Berkeley National Laboratory spelled this out in a cyber alert to its workforce, noting that phishing calendar invites may appear on calendars even when associated emails are filtered.
That disconnect turns a calendar into an unguarded side entrance. Attackers craft invites with titles that mimic routine financial notices, using invoice and payment-themed language designed to blend in with the kind of reminders employees expect to see. A researcher scanning a packed weekly schedule might click what looks like a billing follow-up without a second thought, landing on a credential-harvesting page or triggering a malware download.
The risk concentrates at institutions that rely on Google Workspace. UC Berkeley’s Information Security Office published its own bulletin on bogus bCal meetings, confirming that default calendar settings can allow unsolicited meeting invites to land without user approval. Because Berkeley’s calendar system is tightly integrated with academic scheduling, office hours, and lab coordination, a single rogue event sitting among dozens of legitimate ones is easy to miss.
Boise State’s October 2025 response signals a widening campaign
The pattern is not confined to California’s research corridor. Boise State University’s Office of Information Technology published guidance on October 29, 2025, directly addressing a Google Calendar phishing campaign and urging users to change their invitation settings. The timing matters: Boise State’s notice arrived while Lawrence Berkeley and UC Berkeley alerts were already circulating, suggesting that the same technique is being deployed against a broader set of targets across higher education and federal research.
All three institutions converge on one practical fix. Users need to switch their Google Calendar settings so that invitations from unknown senders do not automatically populate the calendar. By default, Google Calendar can add events from anyone who sends an invite, a convenience feature that attackers exploit. Changing the setting to require manual acceptance blocks the side-door entry, though it also means legitimate invitations from new contacts will need an extra step.
For IT administrators, the challenge is organizational scale. A national laboratory like Berkeley Lab supports thousands of researchers, contractors, and visiting scientists, each with a Google account tied to shared project calendars. Pushing a settings change across that population requires clear communication and, in many cases, centralized policy enforcement through Google Workspace admin controls. The fact that three separate institutions felt compelled to issue public advisories suggests the default configuration remains widespread.
What the institutional alerts leave unanswered about calendar phishing
The advisories from Berkeley Lab, UC Berkeley, and Boise State describe the attack mechanism and recommend a settings change, but they do not publish data on how many users received malicious invites, how many clicked through, or whether any credentials were actually compromised. Without those numbers, it is difficult to measure the scale of the campaign or compare it to earlier waves of calendar-based spam.
Google itself has not released an incident report or aggregate metrics on invite-based phishing volume tied to these alerts. That absence leaves a gap in understanding whether the current wave represents a spike driven by a specific threat actor or a steady background level of abuse that institutions are only now flagging publicly. The institutional notices also do not specify whether the phishing invites they observed used renewal-notice language specifically, or whether the invoice and payment themes took other forms.
A related open question is whether changes to Google Calendar’s default permission settings over time have correlated with measurable increases in phishing attempts at research institutions. If attackers monitor platform updates and time their campaigns to exploit windows before administrators adjust policies, the pattern would carry implications for how quickly IT teams need to respond after any product change. No public dataset currently confirms or refutes that timing relationship.
For anyone using Google Calendar through a university, government lab, or corporate Workspace account, the immediate step is straightforward: open Calendar settings, find the event invitation section, and switch from automatic addition to manual approval only. That single change closes the gap between email filtering and calendar display. Staff who spot suspicious events already on their calendars should avoid clicking any links in the event description and report the entry to their IT security team. As long as the default setting remains permissive, every new Google Workspace user starts out exposed, and attackers will keep exploiting that window.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
