The calendar invite looked like an internal meeting request. The organizer field displayed a colleague's name and corporate email address at a cybersecurity vendor. The Zoom link included a meeting ID and passcode. It looked routine.
The SMTP sender was kp@onedot61[.]au, an Australian domain with no prior relationship to the organization. SPF passed. DKIM passed. ARC passed. Every authentication check confirmed the email was legitimately sent from onedot61[.]au. None of them checked whether the organizer field was telling the truth.
The iCalendar format allows the ORGANIZER property to be set independently of the SMTP envelope. This means an attacker can authenticate a message through their own domain while setting the calendar organizer to any name and email address they choose. The recipient's calendar application displays the organizer identity, not the SMTP sender, making the impersonation invisible in the calendar UI.
In this case, the SMTP sender authenticated through onedot61[.]au, a domain registered through CyberCircle in Australia. The domain had valid SPF and DKIM records. ARC headers confirmed the authentication chain survived relay processing. But the organizer field displayed a different identity entirely: a real employee at the target organization, complete with the correct corporate email address.
The invite included a Zoom meeting link (us06web[.]zoom[.]us, Meeting ID 85802428869, Passcode 777167), a fillout[.]com form link, and a calendly[.]com scheduling link. Each of these is a legitimate platform. The Zoom link could host a real meeting controlled by the attacker. The form and scheduling links could serve as data collection or social engineering touchpoints. None of the embedded URLs would trigger reputation-based blocking.
Calendar invites auto-populate in most email clients. They create calendar entries, generate reminder notifications, and display the organizer's name every time the recipient checks their schedule. Unlike a standard email that sits in an inbox, a calendar invite persists across multiple touchpoints in the victim's workflow.
The display name spoofing technique here was more effective than a standard email impersonation because the calendar interface presents the organizer as the meeting creator, not as a message sender. Recipients are accustomed to accepting calendar invites from colleagues without scrutinizing the underlying SMTP metadata.
The mismatch between the SMTP sender (kp@onedot61[.]au) and the organizer (an internal employee address) was the discriminating signal. This divergence is not normal in legitimate meeting workflows. Behavioral analysis that correlates sender reputation, first-time sender status, and organizer-SMTP alignment flagged the anomaly. Three mailboxes were quarantined before any recipient interacted with the Zoom link or embedded forms.
See Your Risk: Calculate how many threats your SEG is missing
| Type | Indicator | Context |
|---|---|---|
| SMTP Sender | kp@onedot61[.]au | Australian domain, CyberCircle registrant |
| Sending Domain | onedot61[.]au | SPF/DKIM/ARC pass |
| Zoom Meeting | us06web[.]zoom[.]us / ID 85802428869 / Passcode 777167 | Attacker-controlled meeting room |
| Form Link | fillout[.]com | Data collection endpoint |
| Scheduling Link | calendly[.]com | Social engineering touchpoint |
| Auth Results | SPF: pass, DKIM: pass, ARC: pass | Full authentication for onedot61[.]au |
| Organizer Field | Internal employee name and email (spoofed) | SMTP-organizer identity mismatch |
| Technique | ID | Relevance |
|---|---|---|
| Phishing: Spearphishing Link | T1566.002 | Calendar invite with Zoom, form, and scheduling links |
| Impersonation | T1656 | Internal employee identity set in calendar organizer field |
| Attack | What happened |
|---|---|
| The U.S. Bank Email That Came From a Lawyer Directory and Passed Every Authentication Check | A fully authenticated email from lawyerlegion[.]com displayed pixel-perfect U.S. |
| Cloudflare Blocked the Page, But the Email Still Landed: A .vu TLD Phishing Domain That Slipped Through | A phishing email impersonating an insurance adjuster used an obscure Vanuatu (.vu) TLD for its payload links. |
| How ARC Re-Signing and an IP Allow-List Turned Three Authentication Failures Into SCL -1 | A phishing email claiming to be a OneDrive share from an outlook.com address originated from a county government mail server. |
| The Phishing Link Lived on a Domain That Didn't Exist Nine Hours Earlier | A compromised university student account sent a phishing email that passed SPF, DKIM, and DMARC. |
| The Zoho Sign Request That Passed Every Check Except the Reply-To: Government Impersonation via E-Sign Infrastructure | A Zoho Sign document request passed SPF, DKIM, DMARC, and ARC. |