Scammers have found a new way to bypass spam filters by exploiting Apple’s iCloud Calendar invite system to send callback phishing emails directly from Apple’s own mail servers.
Earlier this month, a reader shared with BleepingComputer an email disguised as a PayPal receipt for $599, sent from noreply@email.apple.com. The email instructed the recipient to call a “support” number to dispute the charge. Once on the call, scammers attempted to scare victims into granting remote access to their computers, enabling them to steal banking details, deploy malware, or exfiltrate sensitive data.
What makes this campaign unusual is its delivery method. Instead of using compromised accounts or spoofed domains, the phishing text was hidden inside the Notes field of an iCloud Calendar invite. When the calendar event was created, Apple’s servers automatically sent the invitation email, which passed SPF, DKIM, and DMARC checks, making it appear fully legitimate.
The invite in this case was addressed to a Microsoft 365 account, believed to be part of a mailing list that forwards messages to multiple targets. To ensure deliverability, Microsoft 365 rewrote the email’s return path using the Sender Rewriting Scheme (SRS), further helping the message bypass security filters.
While the scam itself is a common “fake payment receipt” callback scheme, the abuse of Apple’s trusted infrastructure adds a dangerous level of credibility.
How to Stay Safe
- Treat any unexpected calendar invites with strange payment messages as suspicious.
- Never call phone numbers listed in unsolicited emails.
- Avoid downloading remote access tools at the request of unknown callers.
- Report suspicious invites to Apple and your email provider.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
