- E-mails come from Apple servers, bypassing SPF, DKIM and DMARC checks
- The scam encourages the victims to call a support number for a false refund
- User pressing frauds to download remote access tools on their systems
Apple users are now faced with an unusual phishing campaign that operates the invitations of the iCloud calendar.
Unlike traditional scams that send emails from random servers, these messages are sent via Apple’s own infrastructure.
This gives them instant credibility and makes it more difficult for spam filters and the best ransomware protection systems to stop them.
How does the trick work
According to BleepingCompute, the scam works by inserting a phishing message in the scope of the notes of a calendar invitation.
Once created, Apple automatically sends the invitation as an e-mail from its confidence servers.
This means that the message goes from critical checks like SPF, DKIM and DMARC, giving the appearance of a legitimate Apple email.
In a reported case, the calendar invitation was sent to a Microsoft 365 address controlled by the attackers.
From there, it was automatically transmitted to a group distribution list, multiplying the scam.
Since Microsoft uses the sender’s rewriting scheme to maintain valid messages, phishing email has arrived authentic.
The lure itself was simple but effective. The victims were informed that they had been charged with $ 599 on Paypal.
The message urged them to call a support number to resolve the costs.
On the surface, it seems routine, but the real objective is to bring the victims to call the crooks directly.
Once a person is composed the number, fraudsters are trying to pressure them on downloading remote access tools.
Under the pretension to publish a refund, the attackers then connect to the victim’s system.
At this point, they can try to drain bank accounts, plant malware or steal personal data.
The alarming part is not the recall scam itself, which is a familiar tactic. This is how attackers transformed the Apple calendar service into a delivery tool.
Using the address [email protected], emails have a feeling of confidence and can pass users even cautious.
Apple did not publicly address this specific abuse. Until more direct guarantees are in place, the burden falls to users to remain vigilant.
Some scams like this are also based on the installation of hidden software which requires a complete deletion of malicious software later.
For this campaign, the best antivirus alone is not enough, and e-mail authentication systems have worked as designed, but the abuse of a trust platform meant that the scam has always passed.
How to stay safe
- Treat any unexpected calendar invitation with caution, especially if it mentions payments or support the hotlines.
- Do not call the phone numbers included in suspicious calendar invitations.
- Keep your devices up to date and run an antivirus with solid features for removing malware.
- Use reliable ransomware protection and run routine system checks to protect sensitive accounts.
- If an invitation seems suspect, remove it rather than interact with it.
