📝 usncan Note: New Apple Warning—This iCloud Calendar Invite Is Actually An Attack
Disclaimer: This content has been prepared based on currently trending topics to increase your awareness.
A new Apple warning has been issued after it emerged that iCloud Calendar invites are being abused to send call back phishing emails disguised as purchase notifications directly from Apple’s email servers.
Photothek via Getty Images
A new Apple warning has been issued after it emerged that iCloud Calendar invites are being abused to send call back phishing emails disguised as purchase notifications directly from Apple’s email servers.
This makes them more likely to bypass spam filters to land in targets’ inboxes, according to a report on Bleeping Computer.
The Apple iCloud Calendar warning comes after a reader shared a suspicious email with Bleeping Computer. The email included a false PayPal payment alongside a phone number for the reader to contact if they wanted to discuss it.
“Hello Customer, Your PayPal account has been billed $599.00. We’re confirming receipt of your recent payment,” the email stated.
In this iCloud Calendar variation of a “callback phishing scam,” attackers were aiming for the user to call back so they could convince them their account had been hacked. The hope would be that attackers could convince the victim to download software so they could then steal credentials or cash.
However, in this case the email was sent from noreply@email.apple.com. This is Apple’s email address, so the email would pass any checks and appear to have legitimately come from Apple’s mail server, Bleeping Computer warned.
The site showed how this was done. The email was actually an iCloud Calendar invite. “The threat actor included the phishing text within the Notes field and then invited a Microsoft 365 email address that they controlled,” Bleeping Computer explained.
These Fake Invites Are More Difficult To Spot
By embedding fake payment alert, such as a $599 PayPal charge, into the “notes” field, criminals trick users into calling fraudulent “support” numbers, says Jamie Akhtar, CEO and cofounder at CyberSmart. “Because these invites are sent from Apple’s legitimate servers, they pass authentication checks and appear trustworthy, making them far harder for traditional filters to block.”
This latest report shows “an ongoing trend of phishing that rides on reputable services,” says Javvad Malik, lead CISO advisor at KnowBe4. “These attacks, such as the one using iCloud Calendar pass SPF/DKIM/DMARC, and land in inboxes with borrowed legitimacy. People don’t scrutinise calendar links the way they do email links, so a meeting invite with a call back number lowers defences and funnels victims into vishing or remote‑access scams.”
Malik describes how KnowBe4 Threat Labs has seen similar campaigns launched through legitimate platforms AppSheet, Microsoft, Google, QuickBooks and Telegram, which bypass native and SEG controls.
Malicious iCloud Calendar Invites: Avoid Being Caught
The fake iCloud Calendar invite scam is certainly concerning, but there are some steps you can take to ensure you don’t get caught out by similar attacks.
Don’t just hunt for misspellings and spoofed domains: Look at the intent, Malik advises. “Ask if this communication was expected, is it trying to spike emotion, and is there an artificial time limit pushing you to act now? If the answer is yes to any, stop and self‑verify via a known channel. And treat calendar invites with the same scepticism as email.”
If you are a business, you should remind staff to be cautious of unexpected calendar entries, avoid responding to unknown numbers and verify suspicious messages through separate channel, says Akhtar.
Disabling auto-acceptance of invites, enforcing multi-factor authentication, and applying strong filtering controls can also reduce exposure, he says. “A mix of technical safeguards and user awareness is essential against these evolving phishing tactics.”
As attackers increasingly use phishing to steal information and ultimately cash, the Apple iCloud Calendar campaign is one of many. With this in mind, always hover your mouse over links you receive via email or invite and ideally, log onto the website separately on your browser to check or change anything on important accounts.
