iCloud Calendar Exploited to Push Phishing Emails Via Apple Servers

Scammers exploit Apple’s trusted email system to distribute callback phishing scams.

Callback scams disguised as payment alerts

Threat actors are abusing Apple’s iCloud Calendar feature to distribute phishing emails that appear to originate directly from Apple’s servers. Perpetrators are exploiting this feature to make fraudulent messages look legitimate so they slip past spam detection filters.

In one reported case, a recipient received what appeared to be a PayPal payment receipt for $599. According to BleepingComputer, the email urged the individual to contact a “support team” at a listed phone number to dispute or cancel the charge. The message closely resembled standard callback phishing scams, which try to provoke panic with apparently unauthorized transactions.

How the scam works

When a victim calls the fake number, threat actors typically warn of compromised accounts or suspicious activity. They then try to persuade the caller to grant remote access to their device under the guise of processing a refund. Such access has been used to siphon money, install malware or steal sensitive data.

Though the social engineering aspect is familiar, the method of delivery raises new concerns. The messages were sent from the legitimate Apple address noreply@email[.]apple[.]com, successfully passing standard email authentication checks such as SPF, DKIM and DMARC.

Calendar invite abuse

The phishing emails were actually rogue iCloud Calendar invitations. Threat actors inserted fraudulent text in the Notes field and invited an email address tied to Microsoft 365. From there, the invite was distributed to additional recipients, potentially through a mailing list.

Because Microsoft 365 uses the Sender Rewriting Scheme (SRS) to maintain email authentication when forwarding messages, the malicious invites still looked genuine even after redistribution. This combination of Apple’s trusted domain and Microsoft’s relay system made the scam particularly difficult to detect.

Countering sophisticated scam tactics

As phishing and callback scams grow increasingly sophisticated, specialized security tools can bring you peace of mind. Bitdefender Ultimate Security offers real-time protection against phishing, viruses, worms, spyware, rootkits, zero-day exploits, ransomware, and other digital threats. It features multi-layered ransomware protection, email filtering, cryptomining protection, network threat prevention, behavioral detection and anti-phishing modules to ensure your protection.

Scamio, Bitdefender’s AI-powered chatbot, provides a free way to check a suspicious email, link, message, or QR code, whether by web, WhatsApp, Discord, or Messenger.