It’s crazy how things come full circle more than a decade later.

About a decade ago, I got interested in calendar phishing after seeing Beau Bullock’s work at BHIS. Around that time, I built and shared some of my own Graph API scripts for calendar phishing, added support for it in my open source PhishAPI tool, and even introduced the idea to KnowBe4 so they could eventually bring it into phishing training for clients (which Kevin Mitnick himself used Beau's command-line tool to demonstrate).

I brought it to their attention at a client’s request after using the technique successfully on them, during a time when calendar phishing was still largely overlooked as a real-world attack path.

Back then, it was still niche enough that plenty of defenders were not thinking about calendar invites as a phishing channel at all.

More than a decade later, I’m still refining the concept, now as part of the commercial PhishU Framework.

I’m happy to say the Framework fully supports Calendar Event phishing again, but now in a much more usable way:

· Native calendar event workflow
· Simple WYSIWYG w/ AI-generated timing suggestions and content
· As easy as selecting the Calendar Event template
· Automatically tied into training when used in a campaign

It’s built for red teams and security teams that want realistic phishing assessments, including credential and session capture paths, not just allow-list-only email testing.

Due to the increasing trend of OAuth abuse in phishing and most users' lack of understanding between Device Code and OAuth App Consent phishing, I just added them to the PhishU Framework. Now with a quick, two-step process red teams and internal orgs can leverage the templates to train users for this very real-world attack.

Check out the blog for details at https://phishu.net/blogs/blog-microsoft-entra-device-code-phishing-phishu-framework.html if interested!