The Calendar Invite Came From Australia. The Organizer Was Your Coworker.

The calendar invite looked like an internal meeting request. The organizer field displayed a colleague's name and corporate email address at a cybersecurity vendor. The Zoom link included a meeting ID and passcode. It looked routine.

The SMTP sender was kp@onedot61[.]au, an Australian domain with no prior relationship to the organization. SPF passed. DKIM passed. ARC passed. Every authentication check confirmed the email was legitimately sent from onedot61[.]au. None of them checked whether the organizer field was telling the truth.

The Gap Between SMTP Authentication and Calendar Identity

The iCalendar format allows the ORGANIZER property to be set independently of the SMTP envelope. This means an attacker can authenticate a message through their own domain while setting the calendar organizer to any name and email address they choose. The recipient's calendar application displays the organizer identity, not the SMTP sender, making the impersonation invisible in the calendar UI.

In this case, the SMTP sender authenticated through onedot61[.]au, a domain registered through CyberCircle in Australia. The domain had valid SPF and DKIM records. ARC headers confirmed the authentication chain survived relay processing. But the organizer field displayed a different identity entirely: a real employee at the target organization, complete with the correct corporate email address.

The invite included a Zoom meeting link (us06web[.]zoom[.]us, Meeting ID 85802428869, Passcode 777167), a fillout[.]com form link, and a calendly[.]com scheduling link. Each of these is a legitimate platform. The Zoom link could host a real meeting controlled by the attacker. The form and scheduling links could serve as data collection or social engineering touchpoints. None of the embedded URLs would trigger reputation-based blocking.

Why Calendar Invites Are a Preferred Impersonation Vehicle

Calendar invites auto-populate in most email clients. They create calendar entries, generate reminder notifications, and display the organizer's name every time the recipient checks their schedule. Unlike a standard email that sits in an inbox, a calendar invite persists across multiple touchpoints in the victim's workflow.

The display name spoofing technique here was more effective than a standard email impersonation because the calendar interface presents the organizer as the meeting creator, not as a message sender. Recipients are accustomed to accepting calendar invites from colleagues without scrutinizing the underlying SMTP metadata.

The mismatch between the SMTP sender (kp@onedot61[.]au) and the organizer (an internal employee address) was the discriminating signal. This divergence is not normal in legitimate meeting workflows. Behavioral analysis that correlates sender reputation, first-time sender status, and organizer-SMTP alignment flagged the anomaly. Three mailboxes were quarantined before any recipient interacted with the Zoom link or embedded forms.

See Your Risk: Calculate how many threats your SEG is missing

Indicators of Compromise

MITRE ATT&CK Mapping