Lord777
Professional
- Messages
- 2,579
- Reaction score
- 1,513
- Points
- 113
How many people do you think will click on a link in the middle of the day when they see they are late for a meeting?
Ever wondered how meeting invitations work in Microsoft Teams and Google Meet? In this article, we will send out a fake meeting invitation, creating a sense of urgency so that the victim does not try to figure out the issue, but simply follows a phishing link asking for credentials.
Ever wondered how meeting invitations work in Microsoft Teams and Google Meet? Recently, I was working on a social engineering issue, and a random thought occurred to me: how do meeting invitations actually work, can they somehow be used in fraudulent schemes?
Yes, such a thought has already been discussed before, and this method has already been used. But no one has ever explained how it works. I have not been able to find a single blog that technically describes this attack. Therefore, I decided to delve into it myself, in order to tell in human language to everyone who is interested in penetration tests and security issues in general.
What did I want to do in this attack?
Send a fake meeting invitation, creating a sense of urgency so that the victim does not try to figure out the issue, but simply follows my link asking for credentials.
Appointment creation (in Outlook) usually works like this:
Create an appointment in Outlook
This is what a meeting invitation looks like
What's wrong with this invitation?
When you create a meeting invitation, you are actually sending a regular email with an iCalendar file attached. Depending on the recipient's email client and how that client handles iCalendar, you might see a nice email or a simple email with an attachment. Below you can see what the team meeting request looks like in protonmail.
What is an iCalendar object?
According to Wikipedia:
“The universal iCalendar format allows users to store and share their calendar and schedule information (eg events, tasks, free / busy information). The iCalendar file is saved in text format and contains an event or task; used to send events or tasks to other users who can import them into their calendars. Usually has the .ics extension. "
iCalendar is supported by Outlook, Google Calendar, Yahoo, Apple and many more. In this article, I will focus on Outlook.
Below you can see my version of iCalendar for a group meeting invitation. I just sent a meeting invitation to my address in protonmail, downloaded it and read the attachment.
BEGIN: VCALENDAR
The thing to understand here is that every iCalendar object starts with BEGIN: VCALENDAR and ends with END: VCALENDAR. The meeting part is between BEGIN: VEVENT and END: VEVENT. Within your event, you specify the so-called components. Usually not all components are required and in my POC you can find a stripped-down * .ics file with only the required components. Most of them are self-explanatory, but I will highlight the most interesting ones.
ORGANIZER. Specifies the name and email address of the meeting organizer. You can enter any email and name here to make it appear that the meeting request is from that person.
ATTENDEE. Indicates meeting attendees. If you need many members, you will have multiple ATTENDEE components. Be aware that attendees will not receive a meeting invitation email, it is for display only. You can easily simulate 30 people attending a meeting if you are actually sending an email to one victim.
X-MICROSOFT-SKYPETEAMSMEETINGURL. If you specify this component, a Connect button will be displayed in the meeting reminder. Unfortunately, when clicked, the system will try to open the specified URL through the desktop app, resulting in an error.
DTSTART, DTSTAMP, DTEND. Indicate the time of the meeting and its duration. I did a clever trick and set the meeting start time 5 minutes earlier than the current time, so it feels like you were 5 minutes late for the meeting. When the victim receives an email, Outlook treats it as a meeting invitation. Sees the meeting started 5 minutes ago and immediately displays a reminder on the screen. This helps simulate urgency.
How many people do you think would have clicked on a link in the middle of the day when they saw they were late for a meeting?
In this article, I showed you how Outlook handles meeting requests. This should work with any email provider / client that handles * .ics attachments. You can check my POC on github and edit the script and templates to suit your needs.
Ever wondered how meeting invitations work in Microsoft Teams and Google Meet? In this article, we will send out a fake meeting invitation, creating a sense of urgency so that the victim does not try to figure out the issue, but simply follows a phishing link asking for credentials.
Ever wondered how meeting invitations work in Microsoft Teams and Google Meet? Recently, I was working on a social engineering issue, and a random thought occurred to me: how do meeting invitations actually work, can they somehow be used in fraudulent schemes?
Yes, such a thought has already been discussed before, and this method has already been used. But no one has ever explained how it works. I have not been able to find a single blog that technically describes this attack. Therefore, I decided to delve into it myself, in order to tell in human language to everyone who is interested in penetration tests and security issues in general.
What did I want to do in this attack?
Send a fake meeting invitation, creating a sense of urgency so that the victim does not try to figure out the issue, but simply follows my link asking for credentials.
Appointment creation (in Outlook) usually works like this:
- click the New Appointment button, which will open a page with email fields, pre-filled team template and meeting URL
- set the name of the meeting and specify the attendees
- Click Send and your attendees will receive a beautiful email that allows them to accept or decline the meeting request.
Create an appointment in Outlook
This is what a meeting invitation looks like
What's wrong with this invitation?
When you create a meeting invitation, you are actually sending a regular email with an iCalendar file attached. Depending on the recipient's email client and how that client handles iCalendar, you might see a nice email or a simple email with an attachment. Below you can see what the team meeting request looks like in protonmail.
What is an iCalendar object?
According to Wikipedia:
“The universal iCalendar format allows users to store and share their calendar and schedule information (eg events, tasks, free / busy information). The iCalendar file is saved in text format and contains an event or task; used to send events or tasks to other users who can import them into their calendars. Usually has the .ics extension. "
iCalendar is supported by Outlook, Google Calendar, Yahoo, Apple and many more. In this article, I will focus on Outlook.
Below you can see my version of iCalendar for a group meeting invitation. I just sent a meeting invitation to my address in protonmail, downloaded it and read the attachment.
BEGIN: VCALENDAR
The thing to understand here is that every iCalendar object starts with BEGIN: VCALENDAR and ends with END: VCALENDAR. The meeting part is between BEGIN: VEVENT and END: VEVENT. Within your event, you specify the so-called components. Usually not all components are required and in my POC you can find a stripped-down * .ics file with only the required components. Most of them are self-explanatory, but I will highlight the most interesting ones.
ORGANIZER. Specifies the name and email address of the meeting organizer. You can enter any email and name here to make it appear that the meeting request is from that person.
ATTENDEE. Indicates meeting attendees. If you need many members, you will have multiple ATTENDEE components. Be aware that attendees will not receive a meeting invitation email, it is for display only. You can easily simulate 30 people attending a meeting if you are actually sending an email to one victim.
X-MICROSOFT-SKYPETEAMSMEETINGURL. If you specify this component, a Connect button will be displayed in the meeting reminder. Unfortunately, when clicked, the system will try to open the specified URL through the desktop app, resulting in an error.
DTSTART, DTSTAMP, DTEND. Indicate the time of the meeting and its duration. I did a clever trick and set the meeting start time 5 minutes earlier than the current time, so it feels like you were 5 minutes late for the meeting. When the victim receives an email, Outlook treats it as a meeting invitation. Sees the meeting started 5 minutes ago and immediately displays a reminder on the screen. This helps simulate urgency.
How many people do you think would have clicked on a link in the middle of the day when they saw they were late for a meeting?
In this article, I showed you how Outlook handles meeting requests. This should work with any email provider / client that handles * .ics attachments. You can check my POC on github and edit the script and templates to suit your needs.
