Threat actors are exploiting iCloud Calendar invitations to deliver convincing “purchase receipts” that originate from Apple infrastructure and pass SPF, DKIM, and DMARC, substantially increasing deliverability and trust. According to BleepingComputer, the invitations arrive from [email protected] (email.apple.com), a legitimate Apple sending domain, and are used to kick off callback phishing, also known as TOAD (telephone-oriented attack delivery).
How the iCloud Calendar phishing scheme works
In observed cases, victims receive a calendar invite that looks like a receipt for a high-dollar purchase (for example, a $599 PayPal charge) and a phone number for “support” to cancel the transaction. The bait is designed to trigger urgency and prompt a phone call rather than a click, sidestepping conventional URL-focused defenses.
Abusing the Notes field in .ics invites
The social engineering content is embedded directly in the Notes field of the iCloud Calendar invitation (.ics). When a calendar owner invites external recipients, Apple automatically emails the invite on their behalf from the email.apple.com domain. Attackers exploit this legitimate delivery channel to gain trust and bypass basic content heuristics.
Callback phishing playbook (TOAD)
Once the victim calls the number, the operator alleges account compromise, then steers the target to install “refund” software or authorizes remote access. This typically results in wire or wallet theft, malware installation, and data exfiltration—well-established outcomes of tech-support and refund scam operations.
Why these emails pass SPF, DKIM, and DMARC
Investigators note many targets used Microsoft 365 distribution lists. Forwarding commonly breaks SPF, but Microsoft 365 employs Sender Rewriting Scheme (SRS), which rewrites the envelope return-path to a Microsoft-controlled domain so SPF validation succeeds at the final recipient. If Apple’s DKIM signature remains intact and domain alignment is preserved, DMARC can also pass.
Role of distribution lists and authentication alignment
Distribution lists that preserve or restore authentication results significantly increase the odds of DMARC success. Combined with Apple’s reputable sending domain and valid DKIM signatures, the messages appear fully legitimate despite containing phishing content in the invite’s Notes. This illustrates how attackers blend trusted infrastructure with social engineering aimed at phone-based engagement.
Broader trend: callback phishing and invoice scams
The tactic aligns with a broader rise in callback phishing and fake invoice campaigns that favor phone calls over links or attachments to evade sandboxes and URL blocklists. Public reporting from the FBI’s Internet Crime Complaint Center (IC3) has repeatedly highlighted substantial losses tied to tech-support style fraud, measured in the hundreds of millions of dollars annually, with older victims disproportionately affected. PayPal-style invoice scams remain a common lure across these operations.
Mitigation: actions for users and defenders
Guidance for end users
Do not call phone numbers from unsolicited “receipts” or calendar invites. Verify transactions directly in the official app or website (e.g., PayPal or your bank). Never install software or grant remote access at the request of an unsolicited caller.
Controls for Microsoft 365 admins and SOC teams
Restrict external calendar invitations to distribution lists or route them to quarantine. Apply transport rules to flag or block .ics messages containing high-risk patterns—such as phone numbers, refund language, or “invoice/receipt” templates—in the Notes field. Reassess allowlists: messages from trusted domains should not automatically bypass content and behavioral inspection. Enable external sender tagging and disable auto-processing of meeting invites for shared mailboxes and lists where feasible.
Technical measures and monitoring
Implement parsing and inspection of calendar invites (.ics) with specific filtering of Notes content. Harden remote-access pathways: enforce AppLocker or WDAC policies to block unauthorized remote-support tools (e.g., AnyDesk, TeamViewer), and ensure EDR/NGAV coverage detects post-call malware and lateral movement. Incorporate TOAD-specific playbooks in user awareness programs and run periodic simulations that include phone-based lures.
BleepingComputer reports having notified Apple about the iCloud Calendar abuse, with no response at publication time. Given attackers’ use of trusted email infrastructure and SRS-assisted authentication, organizations should tighten content filtering for calendar invites, limit external invitations to lists, and require out-of-band verification for any payment-related requests. If a “receipt” includes a phone number, verify the charge in your official account and avoid calling the provided number—this single step significantly reduces the effectiveness of these schemes.
