Phishing is shifting into places people rarely check. Meeting invites that plant themselves on calendars can survive long after the malicious email is gone. That leaves a quiet opening for attackers.
Microsoft has updated Defender for Office 365 so that security teams can now remove those leftover calendar entries when they perform a Hard Delete. Microsoft also added stronger domain blocking for phishing links.
Attackers have been sending harmful meeting invites because Outlook often auto creates a calendar entry. Even if a security team deletes the email, the calendar entry can stay in place. Users sometimes click invitations directly from the calendar without noticing the source. Microsoft’s update closes this gap by connecting Hard Delete to the removal of the linked calendar item.
“SOC teams currently use remediation actions such as Move to Junk, Delete, Soft Delete, and Hard Delete to quickly eliminate email threats from user inboxes,” said Nithin Nara, a Senior Product Manager at Microsoft. The challenge was that these actions did not touch the calendar entry created by the original invite. The new change makes Hard Delete remove both the email and the related calendar item. According to the announcement, “Hard Delete will now also remove the associated calendar entry for any meeting invite email.”
This applies across the main security surfaces in Defender for Office 365. If analysts use Explorer, Advanced Hunting or the API, Hard Delete works the same way. The calendar entry is taken out as part of the same workflow used to erase the email. This brings calendar items into the same remediation path as inbox messages.
There are limits to the feature. Calendar events added through .ics files remain untouched. Calendar entries can also reappear if the sender issues the same meeting invitation again. These details matter for security teams that often see multi round phishing attempts where attackers resend invites or use multiple methods to add entries to a calendar.
The second part of Microsoft’s update focuses on link based phishing. Attackers often reuse the same domain while cycling through different URLs. Blocking link after link becomes repetitive for analysts. The new option lets teams block an entire domain through the Tenant Allow Block List. This can reduce the number of individual submissions analysts need to process during a phishing campaign.
For SOC teams, these changes can streamline incident response. The calendar fix removes a common source of leftover risk in Meeting Invite phishing events. Domain blocking can reduce alert noise when attackers flood environments with link variants from one domain. The update brings both email and calendar entries into the same cleanup process, which reduces the chance that a user interacts with a link after analysts think they have removed the threat.
IT teams may also benefit. Users frequently ask why a suspicious calendar entry survived after the email was cleared. The new behavior keeps the calendar aligned with the action analysts take in Defender. The domain blocking improvement can reduce repeated blocks on similar URLs and may cut down on follow up work during investigations.