As first reported by Bleeping Computer, cybercriminals are abusing Apple’s iCloud Calendar system to send phishing emails that appear to come from Apple’s own servers. In this novel callback phishing campaign, attackers send bogus purchase confirmation emails—like a fake $599 PayPal charge—that include a phone number for recipients to call if they want to dispute the payment.
These messages are delivered through iCloud Calendar invites, which are dispatched from noreply@email.apple.com, a legitimate Apple domain that passes all SPF, DKIM, and DMARC security checks. This makes the phishing emails appear authentic and allows them to bypass spam filters.
The malicious iCloud calendar invite. Source: bleepingcomputer.com.
The scam tricks users into calling the fake support number, where attackers then attempt to escalate the attack by requesting remote access to the victim’s device—ostensibly to process a refund. However, in reality, this access is used to steal banking credentials, deploy malware, or exfiltrate sensitive data.
The phishing message is embedded in the Notes section of a calendar invite, and the initial email is sent to a Microsoft 365 address controlled by the attacker—likely a mailing list used to forward the invite to broader groups of victims. Microsoft’s Sender Rewriting Scheme (SRS) allows the email to pass SPF checks even after being forwarded, further masking its malicious origin.
What makes this campaign particularly dangerous is its abuse of trusted infrastructure—Apple’s servers and Microsoft’s forwarding system—to add legitimacy and avoid detection.
Security professionals should be aware that phishing is no longer limited to email spoofing—creative abuse of trusted services like Apple Calendar can help attackers sneak past defenses. Organizations should monitor for unexpected calendar invites with payment-related messages, educate users about callback phishing techniques, and implement alerting for unusual remote access requests.
