Blocking Zoom Webinar Spam with Microsoft 365 Mail Flow Rules

Over the past several months, I’ve observed a growing trend: guerrilla marketers are exploiting Zoom’s webinar infrastructure to distribute unsolicited meeting invites. These messages often include calendar invites for webinars I never registered for and are sent through Zoom’s legitimate infrastructure using SendGrid. They typically follow a predictable pattern — three near-identical updates per webinar, each landing in both my inbox and calendar.

Despite having contacted Zoom about this abuse, these campaigns persist. Since these marketers are technically paying Zoom customers, their use of the platform appears to bypass traditional abuse enforcement mechanisms. Consequently, I needed to implement a local, tenant-level defense strategy using Exchange Online Protection (EOP) in my Microsoft 365 environment.

This post outlines how to identify and block these messages at the mail transport layer using Microsoft 365 Premium features, specifically server-side mail flow rules.

How the Abuse Works

These messages are:

• Sent from no-reply@zoom.us, using SendGrid’s infrastructure (bounce-sg.zoom.us)
• SPF, DKIM, and DMARC all pass, making them appear legitimate
• Often include misleading Reply-To: fields pointing to personal Gmail addresses
• Exploit the automatic calendaring features of Outlook and Exchange
• Target my well-know public alias (ken@example.com) rather than my primary email address that I use for legitimate zoom webinars

While they technically pass authentication, their behavioral pattern is clearly spammy and abusive.

Why Outlook Rules Don’t Work

Outlook client-side rules are insufficient because:

• They only work per client/device
• They’re not enforced server-side
• They can’t inspect message headers or authentication metadata
• They don’t prevent calendar entries from being created

Instead, we need a solution that operates before the message hits the inbox or calendar.

Solution: Exchange Online Mail Flow Rule

The most effective solution is to create a transport rule in the Exchange Admin Center. This rule will block messages that:

• Originate from zoom.us
• Are addressed to the alias ken@example.com

Here’s how to implement it:

Step 1: Go to Exchange Admin Center

Navigate to:

• Microsoft 365 Admin Center → Exchange Admin Center
• Select Mail Flow → Rules
• Click + Add a rule → Create a new rule

Step 2: Define the Rule

Name:
Block Unsolicited Zoom Webinar Spam to Alias

Apply this rule if:

• The sender’s domain is zoom.us
• The recipient is exactly ken@example.com

Do the following:

• Delete the message without notifying anyone

Additional settings:

• Stop processing more rules
• Activate immediately

Example Rule Logic (Pseudocode)

IF sender domain is "zoom.us"
AND recipient is "ken@example.com"
THEN delete message silently

This ensures that any Zoom-based message aimed at the alias — legitimate or not — will be dropped before delivery, bypassing inbox and calendar impact.

Optional: Quarantine for Review

If you prefer to inspect these messages first:

• Change the action to redirect to hosted quarantine
• Enable admin notifications for new quarantined messages

This gives you a chance to review for false positives or track evolving tactics.

Final Notes

• This method works because the campaigns consistently use the same sender domain and target a predictable alias.
• You can expand the rule to also check for suspicious Reply-To: values or abuse-specific headers.
• This won’t stop Zoom from being abused at a platform level — but it will stop the spam from reaching you.

Closing Thoughts

Guerrilla marketing via calendar invites is an increasingly common abuse pattern. When infrastructure providers fail to act, defenders must build targeted countermeasures. By leveraging Microsoft’s robust mail flow rule system, we can reclaim control over our inbox and calendars.

If you’re seeing similar activity in your tenant or have developed another approach, I’d love to hear about it.