Scammers exploit iCloud Calendar invitations to deliver phishing, bypass filters
Attack uses Apple’s iCloud Calendar and Microsoft 365 forwarding to bypass security checks and prompt victims to call fake tech support lines.
Phishing scams are taking a new form as attackers exploit Apple's iCloud Calendar invite system to deliver messages directly from Apple's own servers. The tactic is designed to bypass common spam filters and appear legitimate, increasing the likelihood that recipients open the message and engage.
Security researchers say the attackers send calendar invites from Apple's official domain, noreply@email.apple.com, and forward them to real targets through a Microsoft 365 address they control. The fraudulent content is tucked in the event's Notes field, making it look like a legitimate calendar notification. The invite is then automatically delivered to multiple targets because the attackers use a mailing list, and the forwarding chain employs a technique called the Sender Rewriting Scheme to rewrite the return path so the message still passes SPF checks. That combination helps the phishing message reach a user's inbox with few obvious red flags.
Victims are prompted with a PayPal dispute claim, alleging an unauthorized charge and urging them to call a support number. The goal is to coerce the recipient into contacting the scammers, who pose as technical support agents. Once connected, victims may be asked to install remote access software or disclose login credentials, enabling theft of banking details, passwords, or other sensitive information.
Experts say the tactic leverages the credibility of Apple's infrastructure, reducing suspicion because the message appears to come from a trusted domain. Some variants of the scam have used DocuSign-style emails to push Apple Pay fraud, illustrating how attackers mix familiar branding with trusted platforms to improve their success rate.
To reduce risk, readers should treat unexpected calendar invites with caution, especially those claiming to report payment disputes or security alerts. Do not rely on contact numbers provided in invites; instead, verify claims by logging directly into the official PayPal, Apple, or other service accounts. Do not call the numbers in the message, and use official channels to reach customer support. Install reputable antivirus software and keep it updated. Consider removing personal data from public listings to hamper data-mining by attackers, and use a password manager to generate strong, unique passwords and to monitor for breaches. Finally, keep devices and software up to date to patch vulnerabilities that scammers may exploit.
Security researchers say the campaign is part of a broader trend in which fraudsters abuse trusted communications channels to lower users' defenses. The tactic places emphasis on the perceived legitimacy of a calendar alert rather than a suspicious email address, making it easier for victims to overlook red flags. In some cases, attackers have used additional branding plays, attempting to connect with individuals through familiar enterprise tools and document-signing services to further the illusion of legitimacy.
The evolving method underscores the importance of verification across all channels. If an alert arrives via a calendar invite, users should not act on the content within the invite itself. Instead, individuals should navigate to official account dashboards through trusted bookmarks or official apps and verify any claims of unusual activity. When in doubt, contacting customer support through a verified phone number found on the company’s official site is advised over responding to numbers listed in a suspicious invitation.
Industry observers also note that this technique demonstrates how attackers continuously adapt to defensive improvements. By exploiting legitimate infrastructure, the scammers reduce friction in delivery and increase the odds that a message reaches the intended recipient. The report cites Bleeping Computer as one of the outlets documenting the tactic and calls on users to practice ongoing vigilance, especially in the face of messages that seem to originate from brands or services people trust. While the abuse of calendar invites is new in this context, it fits a broader pattern of phishing that leverages social engineering and signaling from trusted platforms to lower user suspicion.
Overall, the developing threat highlights the need for consumers to treat any unexpected calendar invitation with caution and to verify activity through official channels rather than through embedded notes or links within invites. It also emphasizes that even well-established systems can be leveraged for fraud if attackers succeed in convincing users of their legitimacy. Readers are encouraged to remain skeptical of alarming claims that arrive via calendar invitations, as part of a broader, ongoing effort to improve individual digital hygiene and resilience against increasingly sophisticated phishing campaigns.
Sources: security researchers and reporting on iCloud Calendar phishing campaigns, including coverage noting the use of the Apple domain and SPF-SRS forwarding techniques; related discussion of credential and payment fraud across phishing variants.