I'm struggling with believing this is being shrugged off and is not an alarming concern:
Apparently, anyone at all can set up a "tentative" meeting request on a company user calendar. Spammers, people trying to reach you even if you try to ignore their sales calls. But the worst is that a ransomware person/team could do this.
Because the meeting then can have a dangerous URL or file put into it. Yeah, apparently you can show a meeting request you don't want and normally would refuse, but it places it in your calendar. Then, the organizer can put in something that can be used to attack the user system and infiltrate a network from their system. The recipient sees a calendar request and has no protection from clicking on dangerous and compromising URLs or files.
Microsoft's response to this is to "teach users not to click on things". Or "Change every internal email address so you get and NDR for incoming requests". Or, "create a giant IP block list of places you don't want to receive incoming requests". None of their solutions are to allow the user or an organization to shut off the ability to bypass quarantine rules and still show up on your calendar. Yes, a quarantine email with this request STILL goes onto your calendar. All protections bypassed.
Seriously? The biggest source for compromised systems is users. And completely changing every user's email internally to send and NDR, which means literally every incoming email from every source will now send an NDR.
I can't believe this is a thing and that Microsoft would consider this an acceptable solution. The legal ramifications of having a giant hole punched into people's companies, through all protections they've set up, is staggering. Cyber insurance and the intelligence agencies are already battling sophisticated attacks. Why on earth would handing a silver platter to ransomware attackers be just fine and so easily shrugged off?