CyberHappenings logo
🏠 Home 📂 Browse ℹ️ About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

iCloud Calendar Abused for Callback Phishing Campaigns

First reported
Last updated
📰 1 unique sources, 1 articles

Summary

Hide ▲

A new phishing campaign abuses iCloud Calendar invites to send callback phishing emails. These emails, originating from Apple's servers, bypass spam filters and target users by masquerading as legitimate purchase notifications. The goal is to trick recipients into calling a support number, where scammers attempt to gain remote access to the victim's computer. The emails are sent from [email protected], passing SPF, DMARC, and DKIM checks. The campaign exploits the trust associated with Apple's email servers and the iCloud Calendar service. The phishing emails claim to be payment receipts for fraudulent charges, prompting recipients to contact a provided phone number. Once contacted, scammers use social engineering tactics to gain remote access to the victim's computer, leading to potential financial loss or data theft.

Timeline

  1. 07.09.2025 20:10 📰 1 articles · ⏱ 9d ago

    iCloud Calendar Invites Abused for Callback Phishing Campaigns

    A new phishing campaign abuses iCloud Calendar invites to send callback phishing emails from Apple's servers. These emails, originating from [email protected], pass SPF, DMARC, and DKIM checks, making them appear legitimate. The emails target users by masquerading as purchase notifications from PayPal, claiming fraudulent charges. The campaign exploits the trust associated with Apple's email servers and the iCloud Calendar service. The phishing emails prompt recipients to call a support number, where scammers attempt to gain remote access to the victim's computer. The campaign also exploits Microsoft 365 mailing lists to forward the phishing emails, maintaining the legitimacy of the email source.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Apple patches Image I/O zero-day exploited in targeted attacks

Apple has released emergency updates to fix a zero-day vulnerability (CVE-2025-43300) in the Image I/O framework. The flaw, an out-of-bounds write issue, was exploited in "extremely sophisticated" targeted attacks against specific individuals. The vulnerability affects multiple iOS, iPadOS, and macOS versions and devices. Apple has not attributed the discovery to a specific researcher or provided details about the attacks. The flaw allows attackers to exploit the vulnerability by supplying malicious input, potentially leading to remote code execution. Affected devices include various iPhone, iPad, and Mac models running specific versions of iOS, iPadOS, and macOS. The flaw was discovered internally by Apple and addressed with improved bounds checking. The vulnerability has been exploited as part of highly targeted attacks. Users are advised to install the updates promptly to mitigate potential ongoing attacks. CERT-FR has reported at least four instances of Apple threat notifications alerting users about mercenary spyware attacks since the beginning of the year. The attacks target individuals based on their status or function, including journalists, lawyers, activists, politicians, and senior officials. Apple has sent threat notifications to users in over 150 countries since 2021. Apple has backported fixes for the vulnerability to older versions of iOS, iPadOS, and macOS, including iOS 16.7.12, iPadOS 16.7.12, iOS 15.8.5, and iPadOS 15.8.5. The updates also address multiple other security flaws in various Apple products. The flaw was chained with a WhatsApp zero-click vulnerability (CVE-2025-55177) in targeted attacks. The attacks were described as "extremely sophisticated" by Apple and WhatsApp. Samsung also patched a remote code execution vulnerability chained with the CVE-2025-55177 WhatsApp flaw in zero-day attacks targeting its Android devices.

Open in new tab