Over the past several months, I’ve observed a growing trend: guerrilla marketers are exploiting Zoom’s webinar infrastructure to distribute unsolicited meeting invites. These messages often include calendar invites for webinars I never registered for and are sent through Zoom’s legitimate infrastructure using SendGrid. They typically follow a predictable pattern — three near-identical updates per webinar, each landing in both my inbox and calendar.
Despite having contacted Zoom about this abuse, these campaigns persist. Since these marketers are technically paying Zoom customers, their use of the platform appears to bypass traditional abuse enforcement mechanisms. Consequently, I needed to implement a local, tenant-level defense strategy using Exchange Online Protection (EOP) in my Microsoft 365 environment.
This post outlines how to identify and block these messages at the mail transport layer using Microsoft 365 Premium features, specifically server-side mail flow rules.
How the Abuse Works
These messages are:
- Sent from
no-reply@zoom.us, using SendGrid’s infrastructure (bounce-sg.zoom.us) - SPF, DKIM, and DMARC all pass, making them appear legitimate
- Often include misleading
Reply-To:fields pointing to personal Gmail addresses - Exploit the automatic calendaring features of Outlook and Exchange
- Target my well-known public alias (
ken@example.com) rather than my primary email address that I use for legitimate Zoom meetings - Have since expanded to other meeting platforms, including GoToMeeting (
gotomeeting.com,goto.com), using identical tactics
While they technically pass authentication, their behavioral pattern is clearly spammy and abusive.
Why Outlook Rules Don’t Work
Outlook client-side rules are insufficient because:
- They only work per client/device
- They’re not enforced server-side
- They can’t inspect message headers or authentication metadata
- They don’t prevent calendar entries from being created
Instead, we need a solution that operates before the message hits the inbox or calendar.
Solution: Exchange Online Mail Flow Rule
The most effective solution is to create a transport rule in the Exchange Admin Center. This rule will block messages that:
- Originate from
zoom.us,gotomeeting.com,goto.com, orlogmein.com - Are addressed to the public alias (
ken@example.comin these examples)
Here’s how to implement it:
Step 1: Go to Exchange Admin Center
Navigate to:
- Microsoft 365 Admin Center → Exchange Admin Center
- Select Mail Flow → Rules
- Click + Add a rule → Create a new rule
Step 2: Define the Rule
Name:
Block Unsolicited Zoom Webinar Spam to Alias
Apply this rule if:
- The sender’s domain is
zoom.us,gotomeeting.com,goto.com, orlogmein.com - The recipient address contains
example.com(your alias domain)
Do the following:
- Delete the message without notifying anyone
Additional settings:
- Stop processing more rules
- Activate immediately
Step 3: Implement via PowerShell (Recommended)
The Exchange Admin Center GUI works, but PowerShell gives you a more reliable condition. Rather than matching the resolved recipient address (which Exchange may expand to the primary mailbox before evaluation), the PowerShell approach checks the raw To: header directly. This guarantees the rule fires only when the message was addressed to the alias domain, not when it was sent to your primary address.
Prerequisites: ExchangeOnlineManagement module installed; Exchange Administrator role.
# Connect to Exchange Online
Connect-ExchangeOnline -UserPrincipalName admin@yourdomain.com
# Check for and remove any existing broad rule first
Get-TransportRule | Select-Object Name, Priority | Format-Table
# Remove-TransportRule -Identity "Your Old Rule Name" -Confirm:$false
# Create the targeted rule
New-TransportRule `
-Name "Block Meeting Spam to Public Alias" `
-Priority 0 `
-SenderDomainIs "zoom.us","gotomeeting.com","goto.com","logmein.com" `
-HeaderContainsMessageHeader "To" `
-HeaderContainsWords "example.com" `
-DeleteMessage $true `
-Comments "Drops meeting spam to the public alias. Mail to primary address passes through."
Replace example.com with your own alias domain and admin@yourdomain.com with your Exchange admin UPN.
Verify the rule was created:
Get-TransportRule -Identity "Block Meeting Spam to Public Alias" |
Format-List Name, Priority, State, SenderDomainIs,
HeaderContainsMessageHeader, HeaderContainsWords, DeleteMessage
Expected: DeleteMessage : True, HeaderContainsWords : {example.com}.
This ensures that meeting platform messages aimed at the alias are dropped before delivery, bypassing both inbox and calendar impact.
Optional: Quarantine for Review
If you prefer to inspect these messages first:
- Change the action to redirect to hosted quarantine
- Enable admin notifications for new quarantined messages
This gives you a chance to review for false positives or track evolving tactics.
Final Notes
- This method works because the campaigns consistently use the same sender domain and target a predictable alias.
- You can add a second rule to catch spam that slips through by targeting a personal
Reply-To:address regardless of which recipient was targeted:
New-TransportRule `
-Name "Block Zoom spam with personal Reply-To" `
-Priority 1 `
-SenderDomainIs "zoom.us","gotomeeting.com","goto.com","logmein.com" `
-HeaderContainsMessageHeader "Reply-To" `
-HeaderContainsWords "gmail.com","yahoo.com","hotmail.com","outlook.com" `
-DeleteMessage $true `
-Comments "Catches meeting-platform spam using personal Reply-To addresses, regardless of which address was targeted"
- This won’t stop Zoom from being abused at a platform level, but it will stop the spam from reaching you.
Closing Thoughts
Guerrilla marketing via calendar invites is an increasingly common abuse pattern. When infrastructure providers fail to act, defenders must build targeted countermeasures. By leveraging Microsoft’s robust mail flow rule system, we can reclaim control over our inbox and calendars.
If you’re seeing similar activity in your tenant or have developed another approach, I’d love to hear about it.
