My iCloud Calendar Misused for Sending Phishing Emails via Apple’s Servers

iCloud Calendar invites are being exploited to facilitate callback phishing emails disguised as purchase notifications, originating directly from Apple’s email servers. This tactic increases the likelihood of these emails bypassing spam filters and landing in the recipients’ inboxes. Recently, a reader shared an email with BleepingComputer that falsely claimed to be a payment receipt for $599 charged to the recipient’s PayPal account. The email included a phone number for recipients who wished to discuss or modify the payment, stating, “Hello Customer, Your PayPal account has been billed $599.00. We’re confirming receipt of your recent payment.”

The primary objective of these emails is to deceive recipients into believing their PayPal account has been fraudulently charged, prompting them to call the scammer’s “support” number. Upon calling, the scammer attempts to instil fear by suggesting the recipient’s account has been hacked or that they need to connect to their computer to process a refund. This method has previously been used to steal money, deploy malware, or extract sensitive data. The phishing email, which masquerades as a legitimate iCloud Calendar invite, successfully passed SPF, DMARC, and DKIM email security checks, indicating it genuinely came from Apple’s mail server. The email was sent from “noreply@email.apple.com” and included phishing content within the Notes field, targeting a Microsoft 365 email address controlled by the threat actor. 

Categories: Phishing Scams, Email Security, Cybersecurity Threats 

Tags: iCloud Calendar, Phishing, Email Security, PayPal, Callback Scam, Malware, Spam Filters, Authentication, Microsoft 365, Scam Email