Cybercriminals have found a new way to exploit iCloud Calendar by abusing its invite system to send phishing emails directly from Apple’s own servers. This technique makes the malicious messages appear more trustworthy, enabling them to bypass standard spam filters and land in victims’ inboxes.
The scam typically arrives as an iCloud Calendar invite disguised as a payment receipt, often citing suspicious charges like a $599 PayPal transaction. The message includes a callback number, urging recipients to call if they did not authorize the payment. Once victims call, scammers use social engineering tactics to convince them that their accounts have been compromised. They may then pressure victims into downloading remote access software under the guise of “resolving the issue.” This opens the door for data theft, malware installation, or direct financial fraud.
What makes this attack alarming is its technical sophistication. The phishing messages are sent from noreply@email.apple.com, successfully passing key security checks including SPF, DKIM, and DMARC. These protocols are typically designed to block spoofed emails, but in this case, the messages appear legitimate because they are routed directly through Apple’s infrastructure. The phishing content is embedded in the Notes field of the Calendar invite, making it harder for automated filters to flag.
The campaign also leverages Microsoft 365 mailing lists to spread. By sending the initial iCloud Calendar invite to a Microsoft 365 address controlled by attackers, the invitation is automatically forwarded to group members. To avoid SPF failures during forwarding, Microsoft’s Sender Rewriting Scheme (SRS) rewrites the return path, allowing the phishing email to pass authentication checks seamlessly. This clever manipulation ensures that the message maintains legitimacy across platforms.
While the lure itself is a classic callback phishing scam, the abuse of Apple’s trusted systems increases its success rate. Victims may be less suspicious of an email that appears to come from Apple’s official servers rather than an unknown domain.
Authentication-Results: spf=pass (sender IP is 17.23.6.69)
smtp.mailfrom=email.apple.com; dkim=pass (signature was verified)
header.d=email.apple.com;dmarc=pass action=none header.from=email.apple.com;This represents a troubling evolution in phishing tactics, where attackers exploit legitimate services to enhance credibility.
Conclusion
This campaign underscores the urgent need for user awareness and vigilance. Even when an email passes authentication checks and appears to come from a legitimate sender, it can still be malicious. Users should treat unexpected Calendar invites with unusual payment claims as suspicious and avoid calling numbers or downloading software linked in such messages. As attackers increasingly exploit trusted platforms like Apple and Microsoft, strong security awareness and caution remain the best defenses against phishing.
