Phishing shifts to calendar invites and Microsoft Teams

Security researchers at KnowBe4 report phishing is spreading beyond email to include calendar invites and Microsoft Teams. The firm’s Phishing Threat Trends Report found a 49% increase in calendar-invite phishing and a 41% rise in Teams-based attacks between October 2025 and March 2026.

Calendar invites have been used to deliver malicious links or to prompt recipients to join fake meetings. KnowBe4 said attackers exploit automated calendar workflows and people’s habit of quickly accepting meeting requests.

Researchers found Microsoft Teams is being used both to initiate contact and to continue conversations started by email. Nearly 17.38% of Teams-based incidents involve multiple channels, the report states. Attackers frequently send an initial email and then follow up on Teams to validate identity and prompt action.

The report links part of the increase in Teams attacks to a “Chat with Anyone” feature that lets users start chats using an email address. Teams’ informal, fast pace can lead recipients to reply quickly, which researchers say attackers exploit.

Impersonation is a common tactic. Threat actors have posed as IT staff, human resources personnel and HR platforms such as Workday, company executives and finance team members to gain trust across platforms.

Jack Chapman, senior vice president of Threat Intelligence at KnowBe4, described the findings as showing ‘the inbox is no longer the only frontline for coordinated social engineering attacks.’ He warned social engineering is becoming more targeted, making it harder to tell legitimate messages from malicious ones.

KnowBe4 compiled the report from activity seen over the past year. The firm noted email remains a primary attack vector, but attackers are extending the attack chain across collaboration tools and calendar systems.