iCloud Calendar invitations are being abused to ship callback phishing emails disguised as buy notifications straight from Apple’s e mail servers, making them extra more likely to bypass spam filters to land in targets’ inboxes.
Earlier this month, a reader shared an e mail with BleepingComputer that claimed to be a cost receipt for $599 charged towards the recipient’s PayPal account. This e mail included a telephone quantity if the recipient needed to debate the cost or make adjustments to it.
“Hi there Buyer, Your PayPal account has been billed $599.00. We’re confirming receipt of your latest cost,” learn the e-mail.
“In the event you want to talk about or make adjustments to this cost, please contact our assist group at +1 +1 (786) 902-8579. Contact us to cancel +1 (786) 902-8579,” continued the e-mail.
Supply: BleepingComputer
The aim of those emails is to trick recipients into pondering their PayPal account was fraudulently charged to make a purchase order and scare the e-mail recipient into calling the scammer’s “assist” telephone quantity.
When calling the quantity, a scammer will attempt to scare you into pondering your account was hacked or that they want to hook up with your laptop to provoke a refund, asking you to obtain and run software program.
Nonetheless, in earlier scams like this, this distant entry was used to steal cash from financial institution accounts, deploy malware, or steal knowledge from the pc.
Abusing iCloud Calendar invitations to ship emails
The lure on this e mail is a typical callback phishing rip-off, however what was unusual was that it was despatched from noreply@e mail.apple.com, passing the SPF, DMARC, and DKIM e mail safety checks, signifying that it legitimately got here from Apple’s mail server.
Authentication-Outcomes: spf=move (sender IP is 17.23.6.69)
smtp.mailfrom=e mail.apple.com; dkim=move (signature was verified)
header.d=e mail.apple.com;dmarc=move motion=none header.from=e mail.apple.com;
As you possibly can see from the above phishing e mail, this e mail is definitely an iCloud Calendar invite, the place the risk actor included the phishing textual content throughout the Notes subject after which invited a Microsoft 365 e mail deal with that they managed.
When the iCloud Calendar occasion is created and exterior individuals are invited, an e mail invitation is shipped from Apple’s servers at e mail.apple.com from the iCloud Calendar proprietor’s title with the e-mail deal with “noreply@e mail.apple.com”
Within the e mail seen by BleepingComputer, the invitation is addressed to a Microsoft 365 account, “[email protected]”.
Just like a earlier phishing marketing campaign that utilized PayPal’s “New Tackle” function, it’s believed that the Microsoft 365 e mail deal with to which the invite is shipped is definitely a mailing record that routinely forwards any e mail it receives to all different group members.
On this case, the mailing record members are the targets of the phishing rip-off.
As the e-mail was initially initiated from Apple’s e mail servers, whether it is forwarded by Microsoft 365, it might normally fail SPF e mail checks.
To forestall this, Microsoft 365 makes use of the Sender Rewriting Scheme (SRS) to rewrite the Return path to an deal with related to Microsoft, permitting it to move SPF checks.
Authentic Return-Path: noreply@e mail.apple.com
Rewritten Return-Path: [email protected]
Whereas there may be nothing notably particular concerning the phishing lure itself, the abuse of the authentic iCloud Calendar invite function, Apple’s e mail servers, and an Apple e mail deal with provides a way of legitimacy to the e-mail and likewise permits it to probably bypass spam filters because it comes from a trusted supply.
As a basic rule, for those who obtain an surprising Calendar invite with an odd message inside it, it ought to be handled with warning.
BleepingComputer contacted Apple about this rip-off, however didn’t obtain a response to our e mail.
46% of environments had passwords cracked, almost doubling from 25% final yr.
Get the Picus Blue Report 2025 now for a complete have a look at extra findings on prevention, detection, and knowledge exfiltration tendencies.
