Scammers are exploiting Apple’s iCloud Calendar system to send callback phishing emails that appear to originate from Apple’s own mail servers—complete with valid SPF, DKIM, and DMARC authentication—making them much more likely to bypass spam filters and land directly in users’ inboxes. The scam works by embedding phishing text in the Notes field of an iCloud Calendar event, which is then sent from noreply@email.apple.com, inviting a Microsoft 365 address that likely serves as a mailing list to forward the invite to multiple targets. Microsoft’s Sender Rewriting Scheme (SRS) allows the malicious invite to retain its authenticated appearance even after forwarding. Victims are lured by a fake PayPal payment notice and instructed to call a number, where they are pressured into installing remote access tools—often leading to malware infections, stolen data, or drained bank accounts.
Sources: Bleeping Computer, Malwarebytes, Bitdefender
Key Takeaways
– Trusted Infrastructure Misused: Attackers are abusing legitimate systems—Apple’s iCloud Calendar and Microsoft’s email forwarding—to make phishing attempts appear authentic and evade spam detection.
– Effective Social Engineering: Posing as urgent PayPal payment notices, these phishing emails press victims to call a malicious support line, where they’re tricked into granting remote access or downloading harmful software.
– Stay Vigilant with Unexpected Invites: Treat any surprise calendar invites—especially those with odd messages or supposed financial content—as potential scams, and verify through trusted channels before responding.
In-Depth
Scammers are stepping up their game by weaponizing a seemingly benign feature—Apple’s iCloud Calendar—to deliver phishing lures that slide right into users’ inboxes with alarming legitimacy. By embedding their deceptive message in the Notes field of a calendar event, attackers exploit Apple’s trusted domain (noreply@email.apple.com) to pass all major email authentication checks—SPF, DKIM, and DMARC—convincingly, as reported by Bleeping Computer.
The scheme doesn’t stop there. The phony invite is sent to a Microsoft 365 address likely created as part of a mailing list; as it forwards the invite to intended victims, Microsoft’s Sender Rewriting Scheme (SRS) retools the return path, enabling the forwarded email to continue passing SPF validation. Meanwhile, the “From” address still reads as Apple, helping the phishing message dodge detection systems.
Victims typically receive what looks like a PayPal receipt—such as a $599 charge—and are urged to call a support number to “dispute” or “cancel” it. Once they call, attackers employ scare tactics, asking to connect remotely or install software—often leading to data theft, malware infections, or drained accounts.
This attack demonstrates how social engineering paired with technical subversion of trusted platforms can be astoundingly effective. To protect yourself, never respond directly to unexpected calendar invites; instead, log in to the relevant service (like PayPal) directly via your browser, enable two-factor authentication, and report phishing attempts to proper channels. Above all, treat unsolicited calendar messages with the same scrutiny you’d reserve for suspicious emails—because today’s threat actors are counting on your guard being down.