Attackers exploit iCloud Calendar invites via Apple servers to deliver phishing scams.

Continue reading
Attackers are creating iCloud Calendar events whose Notes/DESCRIPTION field contains a classic refund/billing lure (e.g., fake \$599 PayPal charge) plus a “call us” number. They invite a Microsoft 365 address that’s a forwarding list, so Apple’s servers send the calendar invite, and Microsoft’s SRS preserves SPF alignment when it gets forwarded. Result: the email shows From: [email protected] with SPF, DKIM, DMARC all passing; many gateways and users treat it as trusted. Calling the number leads to callback social engineering and potential remote-access malware/financial theft.
Observed message traits:
spf=pass (sender IP is 17.23.6.69)
smtp.mailfrom=email.apple.com;
dkim=pass (signature was verified) header.d=email.apple.com;
dmarc=pass action=none header.from=email.apple.com;Why the signals are green:
About Apple IP 17/8: The sender example 17.23.6.69 sits in Apple’s long-held 17.0.0.0/8 allocation (ARIN/Apple guidance), so IP reputation alone won’t flag it.
About the calendar format: The payload is a standard iCalendar object per RFC 5545; the DESCRIPTION (aka “Notes”) is simply text and can contain phone numbers, URLs, or scare-copy. Nothing exotic—just a trustworthy wrapper.
> Aim for context-aware detections that target calendar messages with financial/urgent callback language, not “Apple” as a brand.
Microsoft 365 supports message-header predicates and regex in rules; use them to key off `Content-Type` and suspicious phrases.
Example (conceptual) rule logic
Regex snippets
(?i)\b(\+?1[\s\-\.]?)?\(?\d{3}\)?[\s\-\.]?\d{3}[\s\-\.]?\d{4}\b
(?i)\b(paypal|charged|debited|invoice|refund|cancel|billing|transaction)\b
(?i)\$\s?\d{2,4}(\.\d{2})? ```
> Tip: Keep a separate allow-list exception only for known calendar partners to limit false positives.
Where invites are `.ics` files, you can still use attachment inspection in Exchange Online; but also add header/body rules so inline invites are covered. (See attachment inspection & predicates docs.)
Hunt for calendar messages with callback indicators.
KQL (illustrative)
EmailEvents
| where Timestamp > ago(14d)
| where SenderFromDomain =~ "email.apple.com" or NetworkMessageId in (
EmailHeaders
| where Name =~ "Content-Type" and tostring(Value) contains "text/calendar"
| distinct NetworkMessageId
)
| extend hasCallbackPhone = iff(Subject has "call", true, false)
| summarize count(), any(Subject), any(SenderFromAddress) by RecipientEmailAddress
| order by count_ desc> Swap in body inspection via `EmailUrlInfo`/`EmailAttachmentInfo` joins where available, or use `EmailHeaders` to key on `Content-Type`. (Field availability varies by license/telemetry tier.)
Sender Rewriting Scheme (SRS) in Microsoft 365 rewrites the P1 (envelope) MAIL FROM when a message is forwarded externally, preserving SPF when the forwarder sends on someone’s behalf. The P2 (visible From:) stays as the original (Apple), so DMARC still aligns.
Observed in the wild:
Original Return-Path: [email protected]
Rewritten Return-Path: bounces+SRS=...@<tenant>.onmicrosoft.comCore elements from RFC 5545 (typical malicious invites will have these):
BEGIN:VCALENDAR
METHOD:REQUEST
BEGIN:VEVENT
SUMMARY: <often a fake order/charge>
DESCRIPTION: <lure text with phone # or link>
ORGANIZER;CN=<iCloud user>:mailto:<...>
ATTENDEE;CN=<list or target>:mailto:<...>
END:VEVENT
END:VCALENDARFocus your rules on `Content-Type: text/calendar`, `METHOD:REQUEST`, and DESCRIPTION keywords.
None of these assess message intent; a legit sender can send malicious content (abuse).
Treat these as patterns, not fixed IOCs.
| Step | Risk Factor | Your Defensive Action |
|---|---|---|
| 1⃣ | iCloud Calendar invite with purchase notification in Notes | Treat unexpected invites with high suspicion |
| 2⃣ | From email appears to be legitimate Apple address | Don’t trust just the sender—analyze content and context |
| 3⃣ | Microsoft 365 forwarding preserves deliverability & authenticity | Recognize SRS behavior but focus on suspicious content |
| 4⃣ | Callback phishing leads to remote access/malware installation | Never install tools or provide access based on such calls |
This method combines the trust in Apple’s email infrastructure with Microsoft 365's SRS mechanism to create phishing messages that appear both legitimate and technically authenticated. It’s a step beyond usual phishing tactics, blending familiarity with advanced email spoofing to successfully bypass defenses.

148 malicious npm packages masquerading as student proxy and school Wi-Fi bypass tools. Rather than compromising developers during installation