Scammers are abusing iCloud Calendar to send phishing emails
Phishing attacks are becoming increasingly sophisticated, and the latest scam takes exploitation of a trusted platform to a new level. Instead of sending generic or suspicious-looking emails, attackers are now abusing Apple’s iCloud Calendar invite system to deliver phishing content directly from Apple’s own email servers.
This clever tactic allows the fraudulent messages to bypass spam filters and appear more legitimate to unsuspecting users. The goal is to alarm you into calling a scammer’s fake support number under the pretense of disputing a fraudulent PayPal transaction. Once contacted, you are manipulated into granting remote access to your devices or sharing sensitive data. And while this particular scam targets Apple’s ecosystem, it’s important to understand the method even if you’re not an Apple user, since attackers often reuse the same tricks across different platforms and services.
Credit: BleepingComputer
How the scam uses iCloud Calendar invites to bypass security
The heart of this scam lies in abusing Apple’s official infrastructure to lend credibility to a phishing attempt. Instead of using a suspicious or easily flagged email address, the attackers send calendar invites from Apple’s genuine domain, noreply@email.apple.com, as reported by Bleeping Computer.
The attacker embeds the phishing message in the “Notes” section of the calendar event, making it appear as a legitimate notification. They send the calendar invite to a Microsoft 365 email address they control, which is part of a mailing list. As a result, the invite is automatically forwarded to multiple real targets, broadening the scam’s reach.
Typically, when emails are forwarded, SPF (Sender Policy Framework) checks fail because the forwarding server isn’t listed as an authorized sender. However, Microsoft 365 uses a technique called the Sender Rewriting Scheme (SRS), which rewrites the return path so that the message still passes SPF checks.
This makes the email appear fully legitimate to both the recipient’s inbox and automated spam filters. As a result, the message is far more likely to reach a user’s inbox without being flagged, increasing the chance the victim will take the bait.
Why these phishing scams are particularly dangerous
What makes this campaign especially dangerous is the sense of legitimacy it conveys. Because Apple’s official servers send the email directly, users are far less likely to suspect foul play. The message itself aims to panic the recipient by falsely claiming a large PayPal transaction occurred without their consent. The message includes a phone number to “contact support” and dispute the charge, but in reality, it connects the victim to a scammer.
Once the victim calls the number, the scammer poses as a technical support agent and attempts to convince them that their computer has been compromised. The next step is typically to ask the victim to download remote access software, under the guise of issuing a refund or securing the account.
In reality, this access is used to steal banking information, install malware, or exfiltrate personal data. Because the original message passed security checks and seemed credible, victims often don’t think twice before acting.
6 ways you can stay safe from iCloud Calendar scammers
I have listed some useful steps you can take to protect yourself from falling victim to these increasingly sophisticated phishing scams:
1) Treat unexpected calendar invites with caution
If you receive an unexpected calendar invite, especially one containing a strange message or alarming claims, don’t open it or respond. Legitimate companies rarely send payment disputes or security warnings through calendar invites. Always verify suspicious claims by logging into your official account directly.
2) Avoid calling numbers listed in emails or calendar invites
Phishing scams often include phone numbers that connect you to fraudsters posing as support agents. Instead of calling the number in the message, use official contact details found on the company’s official website.
3) Install trusted antivirus software
Antivirus programs protect your computer from malware and phishing sites by blocking suspicious downloads and warning you about unsafe websites.
The best way to safeguard yourself from malicious links that install malware, potentially accessing your private information, is to have strong antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe. Also, keeping your antivirus updated ensures it can defend against the latest threats.
TotalAV is easy to set up and offers real-time protection for paid users, keeping your devices safe around the clock. It includes tools to block phishing scams, remove ransomware and spyware, and clean up adware and junk files. The software also features a browser manager, system tune-up tools, and protects across Windows, Mac, Android, and iOS devices.
GET MY EXCLUSIVE CYBERGUY TOTALAV DEAL:
Please note:
1) If you're having difficulty seeing either of the above deals, do this:
- If you're on a mobile device, hold down the link above, "Copy Link", and then paste it into a private or incognito browser.
- If you're on a laptop or desktop, right click the link, "Copy Link", and then paste it into a private or incognito browser.
2) During registration you may see optional upsells you can decline. Our top pick is the core antivirus product.
3) If you need help after your purchase, you can reach TotalAV directly through their official support page here.
4) Remove your personal data from public listings
Hackers are able to send you these phishing emails because they have your data. Using a personal data removal service helps scrub your personal information from data broker websites. This makes it significantly harder for attackers to gather details about you and craft convincing, targeted phishing attacks.
While no service can guarantee the complete removal of your data from the internet, a data removal service is really a smart choice. They aren’t cheap, and neither is your privacy. These services do all the work for you by actively monitoring and systematically erasing your personal information from hundreds of websites. It’s what gives me peace of mind and has proven to be the most effective way to erase your personal data from the internet. By limiting the information available, you reduce the risk of scammers cross-referencing data from breaches with information they might find on the dark web, making it harder for them to target you.
Incogni, a service I trust 100% and use myself, helps automate the process by submitting removal requests to hundreds of data brokers and people-search sites on your behalf.
Incogni automatically contacts data brokers on your behalf and requests the removal of your personal information. It also continues monitoring those sites and submits new removal requests if your data reappears.
- Incogni currently removes personal data from 420+ data broker and people-search websites, and its Unlimited plan allows you to request removals from as many additional sites as you need.
- Incogni has also received third-party assurance from Deloitte, validating its marketing claims.
- The goal is simple: make it much harder for strangers, scammers, and cybercriminals to find your personal information online.
CyberGuy readers get 60% off Incogni’s annual plans using the links in this article.
The service also includes a 30-day money-back guarantee, so you can try it risk-free and see how much of your information is exposed online.
Is your personal information exposed online?
Run a free scan to see if your personal info is compromised. Results arrive by email in about an hour.
5) Use a password manager
A password manager helps you generate and securely store strong, unique passwords for every account. This reduces the risk of reusing weak passwords that scammers can easily exploit to gain unauthorized access to your accounts.
Next, see if your email has been exposed in past breaches. Our #1 pick, NordPass, includes a built-in breach scanner that checks whether your email address or passwords have appeared in known leaks. If you discover a match, immediately change any reused passwords and secure those accounts with new, unique credentials.
- Unlimited password storage
- Secure sharing
- Password health reports
- Auto-fill and emergency access
- Data breach monitoring to alert you if your credentials have been exposed
- A Security Dashboard with tools like the Data Breach Scanner and Password Health Checker to identify weak, reused, or compromised passwords
CyberGuy Exclusive Deal: Save 52% now with CyberGuy’s exclusive NordPass offer – Get 1 extra month FREE with a 2-year plan. Try 30 days risk-free for only $1.43 per month!
6) Keep software and systems updated
Regularly updating your operating system, browser, and applications helps patch security vulnerabilities that attackers often exploit in phishing scams. Staying current with updates minimizes your exposure to known threats.
Related Links:
- Long-dormant Mac malware returns with advanced capabilities
- 10 ways to secure your older Mac from threats and malware
- Malware targets Mac users with fake CAPTCHA and AMOS Stealer
Kurt’s key takeaway
Scammers are taking phishing attacks in a disturbing new direction by manipulating trusted platforms to deliver malicious content. The safest approach is to treat any unexpected calendar invite, especially those with alarming messages or strange contact numbers, with extreme caution. Never call the number provided in the message or click on any links. Instead, go directly to official websites or your account’s official dashboard to verify suspicious activity.
Have you ever been targeted by a phishing scam disguised as an official message? Let us know in the comments below.
FOR MORE OF MY SECURITY ALERTS, SUBSCRIBE TO MY FREE CYBERGUY REPORT NEWSLETTER HERE
Copyright 2025 CyberGuy.com. All rights reserved. CyberGuy.com articles and content may contain affiliate links that earn a commission when purchases are made.