MC1151684 - Hard delete action now removes calendar entries from malicious meeting invite emails

Introduction
Security Operations Center (SOC) teams rely on remediation actions like Move to Junk, Delete, Soft Delete, and Hard Delete to swiftly eliminate email threats from user inboxes. However, meeting invite emails have posed an additional challenge: even after the email is removed, Outlook automatically creates a calendar entry during delivery, which remains active and accessible to users.

This residual calendar entry can still contain malicious links or phishing content, creating a security gap. We’re closing that gap.

With this update, the Hard Delete action will now also remove the associated calendar entry for any meeting invite email. This ensures that threats are fully eradicated—not just from the inbox, but also from the calendar—reducing the risk of user interaction with potentially harmful content. Note that calendar entries manually created by users by adding .ics attachments to the calendar will not be deleted.

When this will happen

• General Availability (Worldwide): Rollout will begin early September 2025 and is expected to complete by late September 2025.
• General Availability (GCC, GCC High, DoD): Rollout will begin early October 2025 and is expected to complete by late October 2025.

How this affects your organization
Hard Delete actions will now automatically remove calendar entries created by malicious meeting invite emails. This reduces the risk of user interaction with phishing links or harmful content that may persist in calendar entries. Deleted calendar entries can only be recreated by resending the invite or manually by the user.

This change is on by default and requires no configuration.

What you can do to prepare
No action is required. We recommend informing SOC teams and security administrators of this enhancement to ensure awareness and alignment with incident response procedures.

Compliance considerations