Blocking Zoom Webinar Spam with Microsoft 365 Mail Flow Rules
Over the past several months, I’ve observed a growing trend: guerrilla marketers are exploiting Zoom’s webinar infrastructure to distribute unsolicited meeting invites. These messages often include calendar invites for webinars I never registered for and are sent through Zoom’s legitimate infrastructure using SendGrid. They typically follow a predictable pattern — three near-identical updates per webinar, each landing in both my inbox and calendar.
Despite having contacted Zoom about this abuse, these campaigns persist. Since these marketers are technically paying Zoom customers, their use of the platform appears to bypass traditional abuse enforcement mechanisms. Consequently, I needed to implement a local, tenant-level defense strategy using Exchange Online Protection (EOP) in my Microsoft 365 environment.
This post outlines how to identify and block these messages at the mail transport layer using Microsoft 365 Premium features, specifically server-side mail flow rules.
How the Abuse Works
These messages are:
- Sent from
no-reply@zoom.us
, using SendGrid’s infrastructure (bounce-sg.zoom.us
) - SPF, DKIM, and DMARC all pass, making them appear legitimate
- Often include misleading
Reply-To:
fields pointing to personal Gmail addresses - Exploit the automatic calendaring features of Outlook and Exchange
- Target my well-know public alias (
ken@example.com
) rather than my primary email address that I use for legitimate zoom webinars
While they technically pass authentication, their behavioral pattern is clearly spammy and abusive.
Why Outlook Rules Don’t Work
Outlook client-side rules are insufficient because:
- They only work per client/device
- They’re not enforced server-side
- They can’t inspect message headers or authentication metadata
- They don’t prevent calendar entries from being created
Instead, we need a solution that operates before the message hits the inbox or calendar.
Solution: Exchange Online Mail Flow Rule
The most effective solution is to create a transport rule in the Exchange Admin Center. This rule will block messages that:
- Originate from
zoom.us
- Are addressed to the alias
ken@example.com
Here’s how to implement it:
Step 1: Go to Exchange Admin Center
Navigate to:
- Microsoft 365 Admin Center → Exchange Admin Center
- Select Mail Flow → Rules
- Click + Add a rule → Create a new rule
Step 2: Define the Rule
Name:
Block Unsolicited Zoom Webinar Spam to Alias
Apply this rule if:
- The sender’s domain is
zoom.us
- The recipient is exactly
ken@example.com
Do the following:
- Delete the message without notifying anyone
Additional settings:
- Stop processing more rules
- Activate immediately
Example Rule Logic (Pseudocode)
IF sender domain is "zoom.us"
AND recipient is "ken@example.com"
THEN delete message silently
This ensures that any Zoom-based message aimed at the alias — legitimate or not — will be dropped before delivery, bypassing inbox and calendar impact.
Optional: Quarantine for Review
If you prefer to inspect these messages first:
- Change the action to redirect to hosted quarantine
- Enable admin notifications for new quarantined messages
This gives you a chance to review for false positives or track evolving tactics.
Final Notes
- This method works because the campaigns consistently use the same sender domain and target a predictable alias.
- You can expand the rule to also check for suspicious
Reply-To:
values or abuse-specific headers. - This won’t stop Zoom from being abused at a platform level — but it will stop the spam from reaching you.
Closing Thoughts
Guerrilla marketing via calendar invites is an increasingly common abuse pattern. When infrastructure providers fail to act, defenders must build targeted countermeasures. By leveraging Microsoft’s robust mail flow rule system, we can reclaim control over our inbox and calendars.
If you’re seeing similar activity in your tenant or have developed another approach, I’d love to hear about it.