Exposed calendar

An exposed calendar is a SaaS calendar — most often Google Calendar or Microsoft 365 — whose sharing setting reveals more than the owner intended. The damage isn’t always the times of meetings; it’s the titles, attendees, locations, and call links that those meetings carry. “Q4 acquisition sync — Project Lighthouse — Zoom link,” repeated weekly, is a piece of competitive and security intelligence that takes one attacker query to find.

Calendars get exposed in two distinct ways. First, the calendar itself is set to public (“Make available to public” in Google Workspace) and indexed by search engines. Second — far more common — the domain-internal default is “see all event details,” meaning every employee, contractor, and dormant external collaborator can read every meeting title in the company. Both are one-click defaults that few users revisit. Defining properties:

• Useful for social engineering. Attackers building a spear-phishing pretext use calendar metadata to know who is meeting whom, when, and about what.
• Useful for competitive intelligence. Vendor names in meeting titles (“call with [law firm],” “demo with [target acquisition]”) are a tell.
• Useful for timing attacks. Knowing the CFO is in a four-hour board meeting is the perfect window for a wire-fraud pretext sent to the assistant.
• Often inherited from default settings. Many admins never changed the workspace default; many users never noticed the per-calendar override.
• Trivial to fix, hard to spot. The setting is buried two menus deep in each user’s calendar.

A CASB or DLP won’t help here because no content rule is being violated. This is a configuration and behavior issue — exactly the shape of risk SaaS behavior monitoring is built to surface.