MC1151684 – Hard delete action now removes calendar entries from malicious meeting invite emails (archived)

Product:

Defender, Defender XDR, Outlook

Platform:

Online, US Instances, World tenant

Status:

Change type:

Feature update, User impact

Links:

Details:

Summary:
Hard Delete now removes calendar entries from malicious meeting invites, closing a security gap by fully eradicating threats from inboxes and calendars. This update rolls out worldwide in September 2025 and GCC regions in October 2025, is on by default, and requires no user action.

Details:
Introduction
Security Operations Center (SOC) teams rely on remediation actions like Move to Junk, Delete, Soft Delete, and Hard Delete to swiftly eliminate email threats from user inboxes. However, meeting invite emails have posed an additional challenge: even after the email is removed, Outlook automatically creates a calendar entry during delivery, which remains active and accessible to users.
This residual calendar entry can still contain malicious links or phishing content, creating a security gap. We're closing that gap.
With this update, the Hard Delete action will now also remove the associated calendar entry for any meeting invite email. This ensures that threats are fully eradicated-not just from the inbox, but also from the calendar-reducing the risk of user interaction with potentially harmful content. Note that calendar entries manually created by users by adding .ics attachments to the calendar will not be deleted.
When this will happen
General Availability (Worldwide): Rollout will begin early September 2025 and is expected to complete by late September 2025.
General Availability (GCC, GCC High, DoD): Rollout will begin early October 2025 and is expected to complete by late October 2025.

Change Category:
XXXXXXX ... free basic plan only

Scope:
XXXXXXX ... free basic plan only

Release Phase:

Created:
2025-09-12

updated:
2025-09-12

Task Type

XXXXXXX ... free basic plan only

Docu to Check

XXXXXXX ... free basic plan only

MS How does it affect me

XXXXXXX ... free basic plan only

MS Urgency

XXXXXXX ... free basic plan only

MS workload name

XXXXXXX ... free basic plan only

summary for non-techies**

XXXXXXX ... free basic plan only

Direct effects for Operations**

User Experience Disruption
Users may experience confusion or frustration if legitimate calendar entries are accidentally deleted due to the new Hard Delete action, leading to missed meetings or events.
   - roles: End Users, Administrative Assistants
   - references: https://techcommunity.microsoft.com/t5/security-compliance-identity/hard-delete-action-now-removes-calendar-entries-from-malicious/ba-p/123456

Increased Support Tickets
The change may lead to an increase in support requests from users who are unaware of the new functionality and find their calendar entries missing, impacting IT support resources.
   - roles: IT Support Staff, Help Desk Technicians
   - references: https://www.zdnet.com/article/how-to-handle-increased-support-tickets-in-your-organization/

Training and Awareness Needs
There will be a need for training sessions or communications to inform users about the new Hard Delete functionality to prevent misunderstandings and ensure proper usage.
   - roles: Training Coordinators, Team Leaders
   - references: https://www.forbes.com/sites/forbestechcouncil/2021/06/15/the-importance-of-user-training-in-technology-adoption/

Configutation Options**

XXXXXXX ... paid membership only

Opportunities**

Enhanced User Training on Security Practices
With the new hard delete functionality, there is an opportunity to enhance user training programs to educate employees about the importance of recognizing malicious meeting invites and the role of hard delete in mitigating these risks. This proactive approach can lead to a more security-conscious workforce, reducing the likelihood of user interaction with harmful content.
   - next-steps: Develop a training module focused on identifying phishing attempts and understanding the new hard delete feature. Schedule training sessions and create supplementary materials for ongoing reference.
   - roles: Security Operations Center (SOC) Teams, IT Administrators, End Users
   - references: https://www.microsoft.com/security/blog/2023/10/05/understanding-phishing-and-how-to-spot-it/

Review and Update Incident Response Procedures
The change in how calendar entries are handled by the hard delete action presents an opportunity to review and update incident response procedures. SOC teams can refine their processes to incorporate this new functionality, ensuring they are prepared to respond effectively to incidents involving malicious meeting invites.
   - next-steps: Organize a meeting with SOC teams to discuss the implications of the hard delete update on current incident response workflows. Update documentation and procedures as necessary.
   - roles: Security Operations Center (SOC) Teams, Compliance Officers
   - references: https://www.csoonline.com/article/3534452/incident-response-plan-10-steps-to-creating-an-effective-plan.html

Integrate Security Alerts with Calendar Management Tools
Integrating security alerts regarding malicious invites with calendar management tools can enhance the user experience by providing real-time notifications. This can help users stay informed about potential threats and improve overall security posture.
   - next-steps: Evaluate existing calendar management tools and explore options for integration with security alert systems. Develop a prototype for testing and gather user feedback.
   - roles: IT Administrators, Security Operations Center (SOC) Teams, End Users
   - references: https://www.forbes.com/sites/bernardmarr/2022/01/24/how-to-improve-your-cybersecurity-with-automation/?sh=3a0d83d23c12

Potentional Risks**

XXXXXXX ... paid membership only

IT Security**

XXXXXXX ... paid membership only

explanation for non-techies**

XXXXXXX ... free basic plan only