iCloud calendar phishing uses Apple email to push fake purchase alerts, experts warn

A new phishing campaign that exploits iCloud Calendar to send fake purchase alerts has prompted warnings for the roughly 1.8 billion iPhone users worldwide, cybersecurity researchers said.

Investigators who reviewed a suspicious message reported to Bleeping Computer found the bait embedded in an iCloud Calendar invite: a fraudulent PayPal payment notice and a phone number hidden in the invite's Notes field. Because Apple automatically generates email notifications from its own servers when calendar events are created, the message appeared to come from a legitimate Apple address, noreply@email.apple.com, allowing it to bypass standard email authentication checks and conventional spam filters.

The example highlighted by researchers contained a $599 PayPal charge and instructed recipients to call a number to dispute the payment. The invite was sent to a Microsoft 365 address that researchers believe functioned as a mailing list; that account then forwarded the message to multiple recipients, amplifying the attack. Once a victim called the supplied number, scammers would purport to be support staff, attempt to convince the person that their account had been compromised and then pressure them to install remote‑access software or share login credentials—actions that can lead to account takeover and theft, the analysis found.

Cybersecurity experts said the technique is part of a broader trend of attackers "riding on reputable services" to lend legitimacy to fraudulent messages. "Because these invites are sent from Apple's legitimate servers, they pass authentication checks and appear trustworthy, making them far harder for traditional filters to block," Jamie Akhtar, CEO of CyberSmart, told Forbes. Javvad Malik, lead CISO advisor at KnowBe4, said such campaigns often exploit calendar entries because "people don't scrutinize calendar links the way they do email links, so a meeting invite with a call back number lowers defenses and funnels victims into vishing or remote‑access scams."

Bleeping Computer noted the campaign uses calendar invites that pass SPF, DKIM and DMARC checks, an authentication trio intended to help prevent email spoofing. The use of a legitimate Apple sender address allows the messages to inherit the trust those systems confer and to reach inboxes where recipients might assume the notice is genuine. The pattern echoes earlier PayPal‑themed phishing attacks that used similar social‑engineering techniques to prompt phone callbacks and remote support interactions.

Researchers and reporting outlets said the alert was prompted after an individual shared the suspicious email with security investigators. Daily Mail reported it had reached out to Apple for comment. The technical details available to date indicate the attackers are leveraging standard calendar functionality to distribute deceptive content rather than compromising Apple infrastructure, according to the published analyses.

Security specialists urged caution. They recommended that people confronted with unexpected charges verify them through official services and apps rather than by calling numbers provided in unsolicited messages. Experts also reminded users to be wary of unexpected calendar invites, especially those containing payment references or urgent language, and to treat requests for remote‑access software or credential disclosure as high‑risk.

The campaign underscores how threat actors increasingly exploit trusted platforms and automated notification systems to bypass filters and exploit routine user behavior. As investigators continue to monitor and characterize the activity, users and organizations were advised to exercise care when responding to calendar notifications and to report suspicious messages to their security teams or service providers.