CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

Phishing Campaign Abuses iCloud Calendar to Send Emails from Apple Servers

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A phishing campaign abuses iCloud Calendar invites to send callback phishing emails from Apple’s servers. The emails mimic purchase notifications and trick recipients into calling scammers. The emails bypass spam filters due to their origin from Apple’s servers. The phishing emails are disguised as purchase notifications from PayPal, claiming a $599 charge. They prompt recipients to call a provided number to discuss or cancel the payment. The scammers aim to gain remote access to the victim's computer to steal money, deploy malware, or steal data. The campaign leverages iCloud Calendar invites to send emails from Apple’s servers, making them appear legitimate and bypassing SPF, DMARC, and DKIM email security checks. The emails are sent from [email protected] and include the phishing text within the Notes field of the calendar invite.

Timeline

  1. 07.09.2025 20:10 1 articles · 22d ago

    Phishing Campaign Abuses iCloud Calendar to Send Emails from Apple Servers

    A phishing campaign abuses iCloud Calendar invites to send callback phishing emails from Apple’s servers. The emails mimic purchase notifications from PayPal, claiming a $599 charge, and prompt recipients to call a provided number to discuss or cancel the payment. The emails bypass spam filters due to their origin from Apple’s servers, making them appear legitimate. The scammers aim to gain remote access to the victim's computer to steal money, deploy malware, or steal data.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Increased Browser-Based Attacks Targeting Business Applications

Browser-based attacks targeting business applications have surged, exploiting modern work practices and decentralized internet apps. These attacks, including phishing, malicious OAuth integrations, and browser extensions, compromise business apps and data by targeting users. The attacks leverage various delivery channels and evasion techniques, making them difficult to detect and block. Phishing attacks have evolved to use non-email channels such as social media, instant messaging apps, and malicious search engine ads. These attacks often bypass traditional email security controls and are harder to detect. Attackers exploit the decentralized nature of modern work environments, targeting users across multiple apps and communication channels. Non-email phishing attacks can result in significant breaches, as seen in the 2023 Okta breach. The rise in these attacks highlights the need for enhanced browser security measures and better visibility into user activities within the browser.

Open in new tab

Axios and Direct Send Abuse in Microsoft 365 Phishing Campaigns

Threat actors are exploiting HTTP client tools like Axios and Microsoft's Direct Send feature to create highly efficient phishing campaigns targeting Microsoft 365 environments. These attacks, which began in July 2025, initially targeted executives and managers in finance, healthcare, and manufacturing sectors, but have since expanded to all users. The campaigns use compensation-themed lures to trick recipients into revealing credentials and bypassing multi-factor authentication (MFA). The abuse of Axios has surged, accounting for 24.44% of all flagged user agent activity from June to August 2025. The attacks leverage Axios to intercept, modify, and replay HTTP requests, capturing session tokens or MFA codes in real-time. This method allows attackers to bypass traditional security defenses and conduct phishing operations at an unprecedented scale. Additionally, a phishing-as-a-service (PhaaS) offering called Salty 2FA has been discovered, which steals Microsoft login credentials and sidesteps MFA by simulating various authentication methods. Salty 2FA uses advanced features such as subdomain rotation, dynamic corporate branding, and sophisticated evasion tactics to enhance its phishing campaigns. It also abuses legitimate platforms to stage initial attacks and uses Cloudflare Turnstile for secure CAPTCHA replacement. Salty2FA campaigns have been active since late July 2025 and continue to this day, generating dozens of fresh analysis sessions daily. The campaigns target industries including finance, healthcare, government, logistics, energy, IT consulting, education, construction, telecom, chemicals, industrial manufacturing, real estate, and consulting.

Open in new tab

PyPI implements expired domain checks to prevent account takeovers and supply chain attacks

The Python Package Index (PyPI) has implemented a new security measure to check for expired domains, blocking over 1,800 email addresses tied to expired domains since June 2025. This update targets domain resurrection attacks, where malicious actors exploit expired domains to gain unauthorized access to PyPI accounts. PyPI uses Domainr's Status API to determine a domain's lifecycle stage and mark email addresses as unverified, preventing password resets and other account recovery actions. Users are advised to enable two-factor authentication (2FA) and add a secondary verified email address from a notable domain to enhance security. Additionally, PyPI has warned of a new wave of phishing attacks using fake websites to steal user credentials, advising users to change passwords and use phishing-resistant 2FA methods.

Open in new tab