Fortra researchers have been tracking abuse of both Microsoft 365 Groups and Outlook tools that dresses an attack up as ordinary work.
The danger sits in a new place now. Instead of a single suspicious email, the lure waits inside a productivity workflow the target already trusts: a group addition, an internal update, a shared document, a calendar entry.
According to a new technical write-up by Fortra’s Intelligence and Research Experts (FIRE) team, published June 22, attackers have been observed controlling a convincing group, adding or inviting targets where external collaboration is permitted, then moving them through a normal-looking Microsoft experience.
A group called “IT Support,” “HR Updates,” or “All Company” reads as routine, the FIRE team explained. The observed welcome emails were usually clean, because the attacker was borrowing a real cloud service, rather than spoofing a brand. The risk is what the group enabled next.
That next step was often the calendar, where FIRE described a malicious invite pulling the interaction out of the inbox and into the Calendar, reminders resurfacing even after the original mail was ignored or deleted.
The team called this CalPhishing, and its strength is persistence: an unresolved meeting feels less like spam and more like a work item left undone.
Repeated Exposure, Not One-Off Delivery
Shared files opened a parallel path. A clean group notification could still point to a document hosting a fake support process, a QR code, or a credential-harvesting page. Reached through a collaboration surface, that content could feel safer than a direct attachment, even though it was not.
FIRE’s central point for defenders is a visibility problem. Reviewing email alone can miss the group, the shared content, and the calendar artifact, so investigations should follow the full chain, from who created the group and who was added through to whether calendar entries survive after the mail is remediated.
The team also noted that external group notifications can be blocked at the mail-flow level, and that user training should treat unexpected groups, meetings, and files with the same suspicion as unexpected mail.
There is no patch to apply here. The attack abuses legitimate Microsoft 365 features, rather than exploiting a software flaw, which means the defence is detection, configuration, and user awareness rather than a software update.
It fits a wider pattern. Defenders have already watched attackers lean on legitimate remote-access software to slip phishing past controls that trust signed, familiar tools. The wider lesson is that attackers do not need to imitate Microsoft when they can operate inside it.
