Do you know how modern email clients automatically process invitations into our calendars? In this talk, I will explain how to abuse this automatic processing to deliver spoofed meeting invites that are automatically added to a user’s calendar without interaction, opening many different possibilities for social engineering scenarios.
I will also demonstrate how do Microsoft Outlook and Gmail mail clients behave in this context, and how the lack of sanitization in some fields can be abused to chain it with other vulnerabilities, triggering rendering features/bugs that will make these events look legitimate.
This research is accompanied by Tangled, an open-source platform that automates many of the aspects of social engineering campaigns delivery and takes advantage of the features that will be discussed during the talk.
