Netcrook Logo
👤 AUDITWOLF
🗓️ 08 Sep 2025  

The Trojan Calendar: How Apple’s iCloud Became a Phishing Playground

Scammers are hijacking Apple’s trusted calendar invites to deliver convincing phishing emails that slip past defenses and into your inbox.

Fast Facts

  • Phishers are abusing iCloud Calendar invites to send scam emails from Apple’s servers.
  • These emails appear to come from a legitimate Apple address, passing key security checks.
  • Victims are lured with fake payment notifications and urged to call a scam “support” number.
  • This method allows phishing emails to bypass many common spam filters.
  • The scam echoes similar past attacks leveraging trusted brands and infrastructure.

The Scene: When Trust Becomes a Trap

Imagine receiving a calendar invite that looks as innocuous as a lunch meeting - except it’s actually a wolf in sheep’s clothing, carrying a scam straight into your digital doorstep. That’s the reality facing many users as cybercriminals exploit Apple’s iCloud Calendar, using its trusted infrastructure to sneak phishing scams past even the most vigilant defenses.

The Mechanics: Turning Apple’s Calendar into a Scam Delivery System

According to a report by BleepingComputer, scammers are sending callback phishing emails disguised as purchase receipts - often referencing unauthorized PayPal charges - via iCloud Calendar invites. The hook? The emails come directly from Apple’s own servers (noreply@email.apple.com), passing all the usual authentication checks like SPF, DKIM, and DMARC. This digital sleight of hand makes the emails appear as genuine as any Apple notification.

The phishing message is tucked inside the “Notes” section of the calendar invite, urging recipients to call a support number to dispute a supposed charge. When victims call, scammers attempt to escalate the fear, often asking to remotely access the victim’s computer under the guise of providing a refund - a tactic historically used to steal money or install malware.

Bypassing Defenses: Why This Works

Most spam filters rely on sender reputation and authentication checks. By piggybacking on Apple’s infrastructure, scammers sidestep these barriers. The emails not only pass technical scrutiny but also exploit the psychological trust users place in well-known brands. In this case, forwarded invites sent to group email addresses (like Microsoft 365 distribution lists) are further disguised using a Sender Rewriting Scheme (SRS), which rewrites the return address so the emails continue to pass security checks as they move through different systems.

This isn’t the first time trusted platforms have been weaponized. Similar campaigns have misused PayPal’s “New Address” notifications or Google Calendar invites, always with the goal of making malicious messages look like routine business.

Wider Implications: The Attack Surface of Trust

As more brands become platforms for third-party communication, their features - designed for convenience - can be twisted for crime. Apple’s silence on this latest abuse (as reported by BleepingComputer) highlights a broader problem: even the most secure companies can be unwitting accomplices when their systems are manipulated in unexpected ways. For organizations and individuals alike, the lesson is clear: trust, but verify - especially when a calendar invite arrives out of the blue with an urgent message.

Conclusion

In the digital age, trust is both a currency and a vulnerability. The iCloud Calendar phishing scheme is a stark reminder that even the most familiar tools can be turned against us. Staying safe means questioning the unexpected - even when it wears the mask of your favorite brand.

WIKICROOK

  • Phishing: Phishing is a cybercrime where attackers send fake messages to trick users into revealing sensitive data or clicking malicious links.
  • SPF (Sender Policy Framework): An email authentication method that checks if a mail server is allowed to send messages for a specific domain.
  • DKIM (DomainKeys Identified Mail): DKIM is an email security system that uses digital signatures to prove emails are authentic and haven’t been altered, helping prevent spoofing.
  • DMARC (Domain: DMARC is an email security policy that tells mail servers how to handle messages failing SPF or DKIM checks, helping prevent spoofed emails.
  • Sender Rewriting Scheme (SRS): Sender Rewriting Scheme (SRS) updates sender addresses during email forwarding to ensure messages pass SPF checks and are not rejected or marked as spam.
AUDITWOLF AUDITWOLF
Cyber Audit Commander
← Back to news