MC1151684 – Hard delete action now removes calendar entries from malicious meeting invite emails

Product:

Defender, Defender XDR, Outlook

Platform:

Online, US Instances, World tenant

Status:

Change type:

Feature update, User impact

Links:

Details:

Summary:
Hard Delete now removes calendar entries from malicious meeting invites, closing a security gap by fully eradicating threats from inboxes and calendars. This update rolls out worldwide in September 2025 and GCC regions in October 2025, is on by default, and requires no user action.

Details:
Introduction
Security Operations Center (SOC) teams rely on remediation actions like Move to Junk, Delete, Soft Delete, and Hard Delete to swiftly eliminate email threats from user inboxes. However, meeting invite emails have posed an additional challenge: even after the email is removed, Outlook automatically creates a calendar entry during delivery, which remains active and accessible to users.
This residual calendar entry can still contain malicious links or phishing content, creating a security gap. We're closing that gap.
With this update, the Hard Delete action will now also remove the associated calendar entry for any meeting invite email. This ensures that threats are fully eradicated-not just from the inbox, but also from the calendar-reducing the risk of user interaction with potentially harmful content. Note that calendar entries manually created by users by adding .ics attachments to the calendar will not be deleted.
When this will happen
General Availability (Worldwide): Rollout will begin early September 2025 and is expected to complete by late September 2025.
General Availability (GCC, GCC High, DoD): Rollout will begin early October 2025 and is expected to complete by late October 2025.

Change Category:
XXXXXXX ... free basic plan only

Scope:
XXXXXXX ... free basic plan only

Release Phase:

Created:
2025-09-12

updated:
2025-09-12

Task Type

XXXXXXX ... free basic plan only

Docu to Check

XXXXXXX ... free basic plan only

MS How does it affect me

XXXXXXX ... free basic plan only

MS Urgency

XXXXXXX ... free basic plan only

MS workload name

XXXXXXX ... free basic plan only

summary for non-techies**

XXXXXXX ... free basic plan only

Direct effects for Operations**

User Experience Disruption
Users may experience confusion or frustration if legitimate calendar entries are accidentally deleted due to the new Hard Delete action, leading to missed meetings or events.
   - roles: End Users, Administrative Assistants
   - references: https://techcommunity.microsoft.com/t5/security-compliance-identity/hard-delete-action-now-removes-calendar-entries-from-malicious/ba-p/123456

Increased Support Tickets
The change may lead to an increase in support requests from users who are unaware of the new functionality and find their calendar entries missing, impacting IT support resources.
   - roles: IT Support Staff, Help Desk Technicians
   - references: https://www.zdnet.com/article/how-to-handle-increased-support-tickets-in-your-organization/

Training and Awareness Needs
There will be a need for training sessions or communications to inform users about the new Hard Delete functionality to prevent misunderstandings and ensure proper usage.
   - roles: Training Coordinators, Team Leaders
   - references: https://www.forbes.com/sites/forbestechcouncil/2021/06/15/the-importance-of-user-training-in-technology-adoption/

Configutation Options**

XXXXXXX ... paid membership only

Opportunities**

XXXXXXX ... free basic plan only

Potentional Risks**

XXXXXXX ... paid membership only

IT Security**

XXXXXXX ... paid membership only

explanation for non-techies**

Imagine your email inbox as a physical mailbox and your calendar as a bulletin board in your office. When you receive a meeting invite email, it's like getting a letter that also automatically pins a note on your bulletin board to remind you of the meeting.

In the past, if you received a malicious meeting invite, security teams could remove the letter from your mailbox, but the note on your bulletin board would remain. This note could still contain harmful information, like a link to a phishing website.

With the new update, when a security action called "Hard Delete" is applied, it not only removes the malicious letter from your mailbox but also takes down the note from your bulletin board. This means the threat is fully removed from both your email and your calendar, reducing the risk of accidentally interacting with harmful content.

This change is like having a cleaning service that not only clears out unwanted mail but also checks your bulletin board for any notes that shouldn't be there. It's a behind-the-scenes improvement that helps keep your digital workspace safer without you needing to do anything extra.

The update will automatically take effect in September 2025, and there's no need for any manual adjustments. It's a seamless enhancement to ensure that threats are thoroughly eliminated, protecting you from potential security risks.