Agent Foskett • Calendar Invite Scam • Fake Subscription Renewal
The Invoice Wasn't An Email. It Was A Calendar Invite
The message claimed I had been charged.
The amount was $473.00 USD.
The sender wanted me to panic and call support.
Then the real trick showed itself.
It was not just an email. It was a calendar invitation.
Briefing summary
A fake Avast renewal notice claimed a 4 year membership had renewed for $473.00 USD. The scam used a calendar invitation, hidden guest list, panic billing language and phone numbers as the attack path.
Claimed brand: Avast One
Fake amount: $473.00 USD
Delivery method: calendar invite
Real objective: make the victim call
What made the invitation suspicious
The message looked like a normal renewal confirmation, but the evidence did not line up. It claimed to be Avast, used a large billing amount, pushed the recipient toward phone support and arrived from an unrelated organiser.
The organiser was not AvastThe calendar organiser was Almead Yasin using almeadyasin@nbnfts.com. That domain has no visible connection to Avast.
The amount created panicThe fake $473.00 USD charge was designed to trigger an emotional response: call now, cancel now, fix it now.
The invite bypassed expectationsMost users expect phishing in email. Fewer expect the scam payload to appear as a calendar event with reminders and RSVP buttons.
The calendar invite was the lure
The event title said Renewal Confirmed | Amount: $473.00 USD. The description included fake billing details, fake support numbers, a fake product name and a fake subscription renewal message.
What it was trying to do
The invite wanted the recipient to see the charge first and the sender second. The calendar reminder added pressure by making the fake renewal feel scheduled, official and time sensitive.
Fake Avast One renewal
4 year membership claim
Phone numbers placed in the body
Guest list hidden by organiser
Fake transaction detailsThe invite included a date, client ID, value number and product key to make the scam look administrative.
Phone support trapThe attacker did not need the recipient to pay through the email. They needed the recipient to call the number.
Calendar reminder pressureA calendar event can generate reminders, sit beside real meetings and look more trusted than a normal spam message.
Agent Foskett translation
The invitation said:
The real objective
The scam was not really about Avast. It was about getting the victim onto the phone. Once a victim calls, the attacker can move from fake billing into remote access, card theft, bank theft or Microsoft 365 credential theft.
Remote access riskThe scammer may ask the victim to install remote support software so they can “cancel” the fake charge.
Payment data theftThe scammer may request card details, banking details or a fake refund process.
Credential theftThe scammer may steer the victim toward signing in, sharing codes or handing over Microsoft 365 access.
First hunt: find renewal and invoice lures
Start by searching for subjects commonly used in fake renewal, antivirus subscription, payment and invoice scams.
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
EmailEvents
| where Timestamp > ago(30d)
| where Subject has_any (
"Renewal Confirmed",
"Subscription Renewed",
"Invoice",
"Payment Received",
"Avast",
"Norton",
"McAfee"
)
| project Timestamp,
SenderFromAddress,
SenderMailFromAddress,
RecipientEmailAddress,
Subject,
DeliveryAction,
ThreatTypes,
NetworkMessageId
| order by Timestamp descWhat to reviewLook for unknown senders, unexpected brands, large dollar amounts, phone numbers and subjects designed to create panic.
Why it mattersFake renewal scams rely on speed. They want the victim to react before checking the account directly.
Best next pivotUse NetworkMessageId to pivot into URLs, attachments, clicks, post-delivery actions and related messages.
Second hunt: find phone number support lures
Phone numbers in unexpected invoices are often the real payload. The email or invite simply creates the reason to call.
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
EmailEvents
| where Timestamp > ago(30d)
| where Subject has_any ("Renewal", "Invoice", "Payment", "Subscription", "Order")
| where AdditionalFields has_any ("Customer Service", "Support", "Hotline", "+1", "cancel")
| project Timestamp,
SenderFromAddress,
SenderMailFromAddress,
RecipientEmailAddress,
Subject,
AdditionalFields,
NetworkMessageId
| order by Timestamp descThird hunt: review calendar-style delivery clues
Calendar invitations can appear as email messages with meeting request behaviour. Look for renewal or invoice wording and then inspect the message source, attachment details and calendar-related fields available in your environment.
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
EmailEvents
| where Timestamp > ago(30d)
| where EmailDirection == "Inbound"
| where Subject has_any ("Renewal Confirmed", "Amount", "Subscription", "Invoice")
| project Timestamp,
SenderFromAddress,
SenderMailFromAddress,
RecipientEmailAddress,
Subject,
DeliveryAction,
ThreatTypes,
NetworkMessageId
| order by Timestamp descWhy calendar invite scams work
Attackers know people are becoming more suspicious of email, so they move the same scam into other business workflows. The attack does not change. Only the delivery method does.
They appear beside real meetingsA malicious invitation can sit in Outlook or Google Calendar near legitimate work appointments.
They generate remindersThe reminder can make the fake billing notice feel current, urgent and harder to ignore.
They feel less like spamUsers often apply email suspicion to email, but not always to calendar entries, Teams messages, QR codes or shared file alerts.
The Agent Foskett investigator mindset
Do not ask only whether the message looks legitimate. Ask who sent it, why it arrived this way, what action it wants, and whether the sender matches the story.
Start with identityThe claimed brand was Avast. The organiser was not Avast. That was the first crack in the story.
Challenge the urgencyLarge dollar amounts, fake renewals and cancellation pressure are designed to stop the recipient thinking clearly.
Trust the telemetryThe body can tell one story. The sender, message path and delivery evidence often tell another.
How GEMXIT approaches phishing investigations
GEMXIT helps organisations investigate phishing, invoice scams, calendar invite abuse and suspicious Microsoft 365 activity using Microsoft Defender XDR, Defender for Office 365, Microsoft Sentinel and KQL.
We review message evidenceSender identity, authentication results, URLs, attachments, delivery actions and post-delivery changes all matter.
We build practical KQL huntsWe help teams turn suspicious emails and calendar invites into repeatable searches across Microsoft Defender telemetry.
We improve awarenessWe help users recognise that scams can arrive as emails, calendar invitations, QR codes, Teams messages and shared document alerts.
Final thought
The invoice was not real.
The subscription was not real.
The calendar reminder was not real.
The phone numbers were.
And that is exactly what the scammers wanted you to notice.
The logs already knew.
The subscription was not real.
The calendar reminder was not real.
The phone numbers were.
And that is exactly what the scammers wanted you to notice.
The logs already knew.
At GEMXITWe help organisations investigate Microsoft Defender XDR, Defender for Office 365, Microsoft Sentinel, email authentication, phishing campaigns and KQL threat hunting workflows.
Agent Foskett mindsetThe question is not only: “Does this look familiar?”
It is: “Who actually sent it, and why does it want me to act now?”
Continue the investigation with The Email Came From Me, The Disney Email Wasn't From Disney, The QR Code Was Trusted, The Link Was Clicked After The Email Was Delivered, Detect DMARC Fail Emails in Microsoft Defender, Email Spoofing KQL, Microsoft Defender and the GEMXIT Security Review.
Develop IT. Protect IT.GEMXIT PTY LTD | GEMXIT UK LTD