Has anyone got a real fix for this hole in Outlook - spam invitations?

Microsoft leaves security hole in Office 365
Scammers can add Calendar invitations to your Outlook file without permission

Scammers can spam email invitations to an appointment which automatically get placed in your Outlook Calendar as tentative or not accepted.

Microsoft has left a hole big enough to drive a truck with a virus or Trojan horse in Outlook Office 365.

Invitations could potentially contain harmful viruses. Microsoft not only does not protect you from them. They don’t seem to care. I found references in the Microsoft knowledge base back to Office 2007.

Since May 1st, I received 16 of these scam invitations, more than I got from January to April in 2013. I would assume the exploit is ramping up for a major attack on Office users.

Why Microsoft has left users unprotected from the exploit on their premium Office 365 product is a mystery?

The Calendar exploit starts with an email invitation on Office 365 with the Office 2010 Professional client.

If you delete the spam invitation from your email, it stays in the Calendar.

It will then pop up in Outlook Calendar asking you to accept the invitation. Don’t accept obviously.

The second step to delete them manually. Search through your Calendar for tentative invitations and delete them.

If you use multiple calendars, it can be an

annoying amount of manual work.

Even if people know about the potential risk, how many people are going to check the Calendar regularly for spam?

The third risk is that the invitation seems to create a tentative contact sometimes, leaving the Outlook file open to later attacks.

Microsoft knows about the exploit but has not announced a fix.  Over on the Microsoft Support site, the comments ranged from the ludicrous suggestion of scrubbing Outlook Exchange Server through a Gmail account to turning off automatic acceptance. The exploit works even with the automatic box ticked no.

 

An obvious fix would be to make the Options feature work or to have another exclusion of refusing all appointments from people not in your Contacts folder.

While I have not received any invitations with attachments, it’s an easy jump for scammers to add an attachment with an embedded virus which apparently goes undetected by Microsoft.

One user expressed his frustration with thelax controls in Office 365.

“Dang. The answer was helpful, but not what I wanted to hear! All a virus writer has to do is zip the virus EXE and it will fly right by FOPE (Microsoft Forefront Online Protection for Exchange). And here I thought Office 365 email was supposed to be secure!”

“The zip was not even password-protected. Not scanning a password-protected zip file’s contents makes sense, but it does not make sense not to scan at least one level deep in unprotected zip files looking for infected EXE files.”

If any one has found a reasonable fix, please post a comment.

 

* Please try a lower page number.

* Please enter only numbers.

* Please try a lower page number.

* Please enter only numbers.

This is not a hole and it's not new to Office 365/Outlook 2013. It's always worked like this - but Outlook 2007/2010 as of a late 2012 update + outlook 2013 don't delete tentative appt from the calendar when the meeting request is deleted. Only allowing invites from people in your contacts would not work for a lot of people who have outside appointments. See Meeting Request spam for more information.
Diane Poremsky [Outlook MVP]
Outlook Resources: https://www.slipstick.com
https://www.outlook-tips.net


** I don't work for Microsoft, I just volunteer here.**

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

I respectfully disagree. Anything that allows spammers to inject an object or event in an Outlook file is a "hole" and not whole :)

 

This exploit is being used more and more. The tick box in Options is not working. I also don't think most users are going to play with VBA successfully.

 

There should be rules to stop people from placing tentative appointments in the Calendar. Even appointments from contacts should be blocked until the user approves them.

 

Personally, I've been an Outlook user from the first release and have never...as in never... had a spam appointment until just after the new year 2013.

 

Spammers are always looking for entry points and they have found one.  

"not a complete unknown"

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

Spell check and predictive typing on my tablet obviously require proofreading. I should be thankful that it's only stupid and not obscene. :) 

 

I had my first meeting spam some 10+ years ago and get one occasionally - the sniffer feature that makes the spam 'work' was added to outlook 2000. It's not a big problem here though. You don't want to decline as it will verify your address as legit.

 

The box in options is to autoaccept or decline - outlook adds the meetings tentatively to the calendar so if a meeting request is missed, the meeting will be on the calendar. I wouldn't want to use the autoaccept or decline features as it will verify your address - this could lead to more spam.

 

A server side rule to move meeting requests out of the inbox used to work to prevent tentative meetings being added to the calendar - i have not tested it with outlook 2013. if it still works, you could move any requests from people not in your address book.

 

A contact could be created for senders of meeting request spam if you accept or decline the meetings and use outlook 2010's suggested contacts. in outlook 2013, the address would be added to the autocomplete list only - but the list is included in contact search results.  

Diane Poremsky [Outlook MVP]
Outlook Resources: https://www.slipstick.com
https://www.outlook-tips.net


** I don't work for Microsoft, I just volunteer here.**

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

I guess you want to support MS no matter what.

 

Two spam invitations arrived today. I removed them from the Office 365 Professional 2010 client only to find there were still in the web client.

 

Is there anyway to report a bug to Microsoft?

"not a complete unknown"

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

You can open a support case (recommended) or use http://mymfe.microsoft.com/Office/feedback.aspx?formID=375 (or do both). You get 90 days free support with retail licenses and opening a support case guarantees it gets added to the database so I highly recommend doing that.

 

Start here -

http://support.microsoft.com/gp/microsoft-support-options#For_Home

 

Diane Poremsky [Outlook MVP]
Outlook Resources: https://www.slipstick.com
https://www.outlook-tips.net


** I don't work for Microsoft, I just volunteer here.**

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

Ive got the same problem and I hvew noton on my machine and microsoft dont look at fixing bugs until a new release, I'm using 2007 so how long I have got to wait for a fix. I a m programmer and any system that lets a object through that can harm your machine is a "hole" and this is a big one. I myself like microsoft but I do not will not defend them as Diane Poremsky has. Its just blind loyalty 

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

Today I got an appointment with an attachment, which I deleted in three places - outlook mail, calendar and Office 365 web client. The attachment could have been infected. They usually are.

 

ComputerWorld reported a two step exploit that starts with a simple email. The follow-up is has an infected file.

"not a complete unknown"

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

Outlook will not run attachments - you'd need to click on the attachment (and outlook would first write it to securetemp - where your antivirus would scan it).

 

When you delete the request and the tentative appt in Outlook, it should also remove it from the web - but it can take a few seconds for it to sync up and remove it from the calendar and inbox. If it's not deleting it from the server, then something is not working right.

Diane Poremsky [Outlook MVP]
Outlook Resources: https://www.slipstick.com
https://www.outlook-tips.net


** I don't work for Microsoft, I just volunteer here.**

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

outook does run attachments if you click the email I have had 10 events each day this year and when i click the action is sent to the calender it would not take much run some vba or scripting code behind these. Obviously you are looking through microsoft coloured glasses. if you click an email with a hidden virsus that is not detected that is a an attachment because its not part of the mail.

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

Outlook will not open attachments until you select them. Outlook will not run scripts embedded in incoming messages - macros in macro enabled word or excel documents will not run automatically. If you have VBA macros in your outlook, those will run as you designed them to. A tentative meeting request is annoying but it is not dangerous - its not going to infect you even if it has a virus attached unless you open the virus. It is a security issue only in that if you decline it, you'll validate your address.

 

I'm not looking at this with "Microsoft colored glasses", I'm looking at it as someone who knows outlook inside out and knows what it can and cannot do. I understand why it does most of the things it does - I may not agree with the way it does some things, but I have worked with users enough to understand why some features are useful to some people and that people don't want more options in outlook - its complicated enough for the typical user.

 

Diane Poremsky [Outlook MVP]
Outlook Resources: https://www.slipstick.com
https://www.outlook-tips.net


** I don't work for Microsoft, I just volunteer here.**

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

* Please try a lower page number.

* Please enter only numbers.

* Please try a lower page number.

* Please enter only numbers.

 
 

Question Info


Last updated March 12, 2021 Views 8,447 Applies to: