Scammers exploit iCloud Calendar invites to send fake purchase alerts that bypass filters

A new phishing campaign is exploiting iCloud Calendar invites to deliver fake purchase notifications that appear to come from Apple’s own servers, enabling scammers to bypass common email authentication and trick recipients into calling fraudulent support numbers and installing malware.

The attack, reported by Bleeping Computer and highlighted in a Daily Mail account published Sept. 8, 2025, hides a deceptive message in the Notes field of a calendar invite. Because Apple automatically sends confirmation emails for calendar events from addresses such as noreply@email.apple.com, the malicious messages can pass SPF, DKIM and DMARC checks and arrive in inboxes with apparent legitimacy.

In the reported example, recipients received what looked like a PayPal billing notice for $599, accompanied by instructions to call a phone number if they wished to dispute the charge. The email was actually generated by an iCloud Calendar invite that contained the scam text in its Notes field and had been sent to a Microsoft 365 address that the attackers controlled or believed to be a mailing list. That address then forwarded the message to multiple recipients, echoing earlier PayPal-themed phishing campaigns.

Cybersecurity professionals described how the technique increases trust and reduces scrutiny. "Because these invites are sent from Apple's legitimate servers, they pass authentication checks and appear trustworthy, making them far harder for traditional filters to block," Jamie Akhtar, CEO of CyberSmart, told Forbes. Javvad Malik, lead CISO advisor at KnowBe4, said the tactic reflects "an ongoing trend of phishing that rides on reputable services" and noted that people generally do not examine calendar links as closely as email links.

According to the reporting, attackers use the phone call as the next step in the fraud. Victims who call are told their accounts have been compromised and are then pressured into installing remote‑access software or otherwise handing over credentials and security codes. Once installed, that software can be used to capture logins, siphon funds, or enable further account takeover.

The scale of potential exposure was emphasized by the Daily Mail’s framing of the advisory to "1.8 billion iPhone users," a figure presented in that outlet’s coverage. The report attributed the new warning to cybersecurity researchers and to the initial Bleeping Computer story; Apple had not issued a public statement to that outlet at the time the Daily Mail contacted the company.

Experts advising on the matter said the campaign underlines how attackers are increasingly leveraging trusted platforms to deliver malicious content. "These attacks, such as the one using iCloud Calendar, land in inboxes with borrowed legitimacy," Malik said. Security specialists also pointed to the combination of social engineering techniques — a plausible-looking charge, an authoritative sender address and a phone number — as effective in lowering recipients' guard and funneling them into vishing or remote‑access scams.

Security firms have previously documented other campaigns that exploit trusted services to bypass filters, and analysts say the calendar-invite vector is a natural extension of those methods. Because calendar systems automatically generate notification emails on behalf of users, scammers can use those mechanisms to make malicious communications appear routine and authenticated.

Technology and security providers commonly recommend verifying unexpected charges directly through the service in question rather than responding to contact information in unsolicited messages. In statements to reporters, cybersecurity commentators urged recipients not to call numbers provided in calendar invites or emails, to check calendar sharing and invite settings, and to report unsolicited calendar events to their email or calendar provider.

The incident adds to a broader trend of attackers combining impersonation, automated messaging systems and human‑interaction steps such as phone calls to overcome technical safeguards. Law enforcement and industry groups have been tracking a rise in phishing that pairs initial deceptive messages with subsequent vishing or remote‑access attempts, a sequence that can lead to rapid financial loss when victims are persuaded to grant access or disclose security credentials.

Apple, Microsoft and other platform operators have mechanisms for reporting and blocking spam or abusive calendar invites; security advisers said organizations and individuals should use those controls and maintain current device and account protections. The companies involved did not provide immediate comment to the outlets that reported the new campaign.

As the tactic becomes more widely reported, security researchers said it will be important for both users and automated defenses to treat calendar-originated notifications with the same caution applied to email links and attachments, and to verify unexpected charges through official apps or websites before taking action.

(Reporting assembled from Bleeping Computer, Forbes, KnowBe4 and Daily Mail accounts.)