Overview
Attackers use calendar invites to deliver phishing links and unwanted meetings that bypass email-only defenses — the invite lands on a user’s calendar even after the message is removed from the inbox. When Ocean blocks an email that carries a calendar invite (.ics attachment), it also remediates the corresponding event on the recipient’s primary calendar.
| Provider | Delete invite | Restore invite |
|---|---|---|
| Google Workspace | Yes | Yes (within 30 days) |
| Microsoft 365 | Yes | Not supported |
Calendar invite remediation runs automatically alongside email remediation — no separate policy to configure. It applies only when the underlying email’s verdict is non-graymail (i.e., classified as malicious or spam, not bulk/marketing mail).
What to Know
- Follows the email verdict. If the email is blocked, the invite is deleted. If the email is released on Google, the invite is re-created.
- Primary calendar only. Secondary and subscribed calendars are not touched.
- Attendees are not notified. Ocean suppresses provider-side cancellation emails so the sender cannot infer the recipient is protected.
- 30-day restore window on Google. Cancelled events are permanently removed after 30 days; later restore attempts complete without re-creating the event.
- Microsoft deletions are irreversible. Microsoft Graph does not expose a restore endpoint for deleted calendar events. Releasing the email restores the inbox message but not the calendar event.
Required Permissions
These scopes are included in Ocean’s standard read-only and read/write scope sets.Microsoft 365
Calendars.Read— locate the event by iCalUID (read-only integration).Calendars.ReadWrite— delete the event (read/write integration).
Google Workspace
https://www.googleapis.com/auth/calendar.readonly— locate the event by iCalUID (read-only integration).https://www.googleapis.com/auth/calendar.events— delete and restore the event (read/write integration).