- Emails come from Apple servers, bypassing SPF, DKIM, and DMARC checks
- Scam prompts victims to call a support number for a fake refund
- Fraudsters pressure users into downloading remote access tools on their systems
Apple users are now facing an unusual phishing campaign that exploits iCloud Calendar invites.
Unlike traditional scams that send emails from random servers, these messages are sent through Apple’s own infrastructure.
This gives them instant credibility and makes it harder for spam filters and the best ransomware protection systems to stop them.
How the trick works
According to Bleepingcomputer, the scam works by inserting a phishing message into the Notes field of a Calendar invite.
Once created, Apple automatically sends the invite as an email from its trusted servers.
That means the message passes critical checks like SPF, DKIM, and DMARC, giving the appearance of a legitimate Apple email.
In one reported case, the calendar invite was sent to a Microsoft 365 address controlled by the attackers.
From there, it was automatically forwarded to a group mailing list, multiplying the reach of the scam.
Since Microsoft uses the Sender Rewriting Scheme to keep the messages valid, the phishing email arrived looking authentic.
The lure itself was simple but effective. Victims were told they had been charged $599 on PayPal.
The message urged them to call a number for support to resolve the charge.
On the surface, it looks routine, but the real aim is to get victims to call scammers directly.
Once a person dials the number, the fraudsters try to pressure them into downloading remote access tools.
Under the pretense of issuing a refund, the attackers then connect to the victim’s system.
At that point, they can attempt to drain bank accounts, plant malicious files, or steal personal data.
The alarming part is not the callback scam itself, which is a familiar tactic. It is the way attackers turned Apple’s own calendar service into a delivery tool.
By using the noreply@email.apple.com address, the emails gain a sense of trust and may slip past even cautious users.
Apple has not publicly addressed this specific abuse. Until more direct safeguards are in place, the burden falls on users to stay alert.
Some scams like this also rely on installing hidden software that requires full malware removal later.
For this campaign, the best antivirus alone is not enough, and email authentication systems worked as designed, but the abuse of a trusted platform meant the scam still got through.
How to stay safe
- Treat any unexpected Calendar invite with caution, especially if it mentions payments or support hotlines.
- Do not call phone numbers included in suspicious calendar invites.
- Keep your devices updated and run an antivirus with strong malware removal features.
- Use reliable ransomware protection and perform routine system checks to protect sensitive accounts.
- If an invite looks suspicious, delete it rather than interact with it.
