Fake CEO calendar-invite-then-ask BEC lure — "as discussed in our Q3 review meeting yesterday, please wire $X to the new vendor account" / "per our calendar meeting earlier today, process the wire transfer to the new payee within 4 hours" follow-up to a spoofed CEO calendar invite. Sender NOT on the calendar-canonical allowlist (google.com, calendar.google.com, gmail.com, microsoft.com, microsoftonline.com, outlook.com, office.com, office365.com, apple.com, icloud.com, calendly.com, hubspot.com, cal.com, savvycal.com, fantastical.app). Real CEO wire requests after a meeting flow through dual-control with verbal verification through a known phone number, audited by both finance and exec sponsor — never as a single inbound email demanding a same-day wire on a confidentiality / "do not loop in finance" pretext. Distinct from R7 slow-burn-BEC (4-mail warm-up) and R7 scheduler-link (Calendly drop-in) — this signal is specifically the *calendar-event-pretext* primitive (Lead consensus C1: calendar-event itself lends authority no plain mail has). Source: Red-Team R8 multi-agent council S2 (social-engineering specialist), Lead consensus C1.

Fake CEO calendar-invite-then-ask BEC lure targeting finance, AP, controllers, and exec-assistant staff. The two-stage attack chain unfolds across 24-48 hours: Stage 1 = spoofed-CEO Day-1 calendar invite ("Q3 review", "Q4 board prep") sent via fake calendar-canonical headers, accepted-by-default by the recipient's busy calendar workflow. Stage 2 = Day-2 follow-up email ("As discussed in our Q3 review meeting yesterday, please wire $250,000 to the new vendor account. Follow up on the calendar invite from yesterday — transfer is needed before end of day. Confidential, do not loop in finance until the wire is sent," or "Per our calendar meeting earlier today (Q4 board prep), please process the wire transfer to the new payee within 4 hours. As discussed in the meeting, this is confidential and time-sensitive."). The calendar-event itself lends authority no plain mail has — the recipient has a real calendar-app entry from the spoofed CEO, which they read as cryptographic-grade authentication when in fact it is just a forwarded ICS file. Lead consensus C1 (Red-Team R8 multi-agent council): calendar pretext lends authority no plain mail has; subsumes 3 vectors (CEO-invite, recruiter-chain, multi-actor-handoff). Real CEO wire requests after a meeting flow through dual-control with verbal verification through a known phone number, audited by both finance and exec sponsor — never as a single inbound email demanding a same-day wire on a confidentiality / "do not loop in finance" pretext. Sender NOT on the calendar-canonical allowlist (google.com, calendar.google.com, gmail.com, microsoft.com, microsoftonline.com, outlook.com, office.com, office365.com, apple.com, icloud.com, calendly.com, hubspot.com, cal.com, savvycal.com, fantastical.app). Distinct from R7 slow-burn-BEC (4-mail warm-up, no calendar pretext) and R7 scheduler-link (Calendly-drop-in after finance ask) — this signal is specifically the *calendar-event-pretext* primitive (the calendar invite IS the authority anchor). Fires when body references "as discussed in our/the/yesterday's/today's/earlier today's meeting/mtg/call/review" / "per our meeting/mtg/call/review/calendar (meeting)" / "calendar (invite/meeting/event)" / "follow-up on/to/from the meeting/mtg/call/invite/calendar" / "Q1-Q4 review/board prep/board meeting" / "board prep" / "board meeting" AND wire (transfer/remittance/payment/the amount/funds) / "process (the) wire/transfer/payment" / "new vendor/payee account" / "new account number/details" / "transfer funds/the amount" / "remit to/the" / "wire $/€/£/N" AND "before end of day/EOD/COB/close of business/Friday/tomorrow" / within N hours-days / 24-48 hours / 4 hours / action required / confidential(ly) / "do not loop in/cc/forward" / time-sensitive / urgent / asap / immediately. Excludes the canonical calendar / SaaS-meeting domains. Auto-classified as danger via the `-lure` suffix. Source: Red-Team R8 multi-agent council S2 (social-engineering specialist), Lead consensus C1 calendar-authority BEC.