Microsoft Bookings Flaw Let Hackers Hijack Meetings

A security flaw in Microsoft Bookings exposed users to significant risks by allowing attackers to alter meeting invitations and calendar details through HTML injection, researchers at ERNW reported. The vulnerability, rooted in inadequate input validation within the Bookings API, impacted fields such as `serviceNotes`, `additionalNotes`, and `body.content`.

Exploitation was particularly effective via the “Reschedule” feature, where HTML content embedded in booking confirmations was preserved and re-used in subsequent requests. Malicious actors could manipulate parameters like `joinWebUrl`, injecting deceptive links and images into invites. Additionally, attackers could insert unauthorized calendar headers and organizer fields in ICS attachments.

The flaw enabled phishing attacks, data manipulation, and calendar abuse, including extended meeting times and the creation of hidden mailboxes. Microsoft largely addressed the issue by February 2025 after its disclosure in December 2024. However, some parameters remained insufficiently validated. Organizations are urged to apply security patches and follow Microsoft’s updated best practices for Bookings configuration.