iCloud Calendar invitations are being abused to ship callback phishing emails disguised as buy notifications straight from Apple’s electronic mail servers, making them extra more likely to bypass spam filters to land in targets’ inboxes.
Earlier this month, a reader shared an electronic mail with BleepingComputer that claimed to be a fee receipt for $599 charged towards the recipient’s PayPal account. This electronic mail included a telephone quantity if the recipient needed to debate the fee or make adjustments to it.
“Whats up Buyer, Your PayPal account has been billed $599.00. We’re confirming receipt of your current fee,” learn the e-mail.
“If you happen to want to talk about or make adjustments to this fee, please contact our assist staff at +1 +1 (786) 902-8579. Contact us to cancel +1 (786) 902-8579,” continued the e-mail.
Supply: BleepingComputer
The purpose of those emails is to trick recipients into pondering their PayPal account was fraudulently charged to make a purchase order and scare the e-mail recipient into calling the scammer’s “assist” telephone quantity.
When calling the quantity, a scammer will attempt to scare you into pondering your account was hacked or that they want to connect with your pc to provoke a refund, asking you to obtain and run software program.
Nevertheless, in earlier scams like this, this distant entry was used to steal cash from financial institution accounts, deploy malware, or steal information from the pc.
Abusing iCloud Calendar invitations to ship emails
The lure on this electronic mail is a typical callback phishing rip-off, however what was unusual was that it was despatched from noreply@electronic mail.apple.com, passing the SPF, DMARC, and DKIM electronic mail safety checks, signifying that it legitimately got here from Apple’s mail server.
Authentication-Outcomes: spf=cross (sender IP is 17.23.6.69)
smtp.mailfrom=electronic mail.apple.com; dkim=cross (signature was verified)
header.d=electronic mail.apple.com;dmarc=cross motion=none header.from=electronic mail.apple.com;
As you possibly can see from the above phishing electronic mail, this electronic mail is definitely an iCloud Calendar invite, the place the menace actor included the phishing textual content inside the Notes subject after which invited a Microsoft 365 electronic mail handle that they managed.
When the iCloud Calendar occasion is created and exterior individuals are invited, an electronic mail invitation is distributed from Apple’s servers at electronic mail.apple.com from the iCloud Calendar proprietor’s title with the e-mail handle “noreply@electronic mail.apple.com”
Within the electronic mail seen by BleepingComputer, the invitation is addressed to a Microsoft 365 account, “Billing3@WilliamerDickinsonerLTD.onmicrosoft.com”.
Much like a earlier phishing marketing campaign that utilized PayPal’s “New Deal with” function, it’s believed that the Microsoft 365 electronic mail handle to which the invite is distributed is definitely a mailing listing that routinely forwards any electronic mail it receives to all different group members.
On this case, the mailing listing members are the targets of the phishing rip-off.
As the e-mail was initially initiated from Apple’s electronic mail servers, whether it is forwarded by Microsoft 365, it might often fail SPF electronic mail checks.
To forestall this, Microsoft 365 makes use of the Sender Rewriting Scheme (SRS) to rewrite the Return path to an handle related to Microsoft, permitting it to cross SPF checks.
Unique Return-Path: noreply@electronic mail.apple.com
Rewritten Return-Path: bounces+SRS=8a6ka=3I@williamerdickinsonerltd.onmicrosoft.comWhereas there’s nothing notably particular in regards to the phishing lure itself, the abuse of the respectable iCloud Calendar invite function, Apple’s electronic mail servers, and an Apple electronic mail handle provides a way of legitimacy to the e-mail and likewise permits it to probably bypass spam filters because it comes from a trusted supply.
As a common rule, should you obtain an surprising Calendar invite with a wierd message inside it, it ought to be handled with warning.
BleepingComputer contacted Apple about this rip-off, however didn’t obtain a response to our electronic mail.
46% of environments had passwords cracked, practically doubling from 25% final yr.
Get the Picus Blue Report 2025 now for a complete have a look at extra findings on prevention, detection, and information exfiltration traits.
