Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Expired or hijacked domain calendar subscription abuse campaign

Campaign
First reported
Last updated
Happening score
H score 33
1 unique sources, 1 articles

Summary

Hide ▲

Threat actors are abusing digital calendar subscriptions on expired or hijacked domains to push phishing and malware delivery into subscribed devices. The operation matters because once a subscription is established, attackers can inject calendar files with URLs or attachments and widen the attack surface. The same abuse pattern is also being used for JavaScript execution and other emerging attack paths.

Related Happenings

TikTok for Business phishing campaign using Turnstile and reverse proxy

Campaign
First: 26.03.2026 16:09 Last: 26.03.2026 16:09 Sources 1

About this happening: A **phishing campaign** is targeting **TikTok for Business accounts** and uses **Cloudflare Turnstile** to block automated analysis before exposing a **reverse-proxy** credential-...

Open Happening

Perplexity Comet prompt-injection research shows agentic browsers can be trained into phishing traps

Technical Analysis
First: 11.03.2026 18:38 Last: 11.03.2026 18:38 Sources 1

About this happening: **Perplexity's Comet AI browser** is the focus of a **technical analysis** thread showing how **prompt injection** and **malicious URLs** can steer an agentic browser into **data...

Open Happening

Google Groups and Google-hosted URL malware campaign targeting global organizations

Campaign
First: 15.02.2026 18:30 Last: 15.02.2026 18:30 Sources 1

About this happening: An active **Google Groups** malware campaign is abusing **Google-hosted URLs** to target **global organizations** and increase trust-based delivery success. Attackers seed legitim...

Open Happening

Calendly-themed brand-impersonation phishing campaign targeting ad manager accounts

Campaign
First: 02.12.2025 16:00 Last: 02.12.2025 16:00 Sources 1

About this happening: An ongoing **Calendly-themed phishing campaign** is impersonating major brands to steal **Google Workspace** and **Facebook business** credentials, creating takeover risk for ad a...

Open Happening

ShadyPanda browser extension spyware activity

Malware Activity
First: 01.12.2025 19:29 Last: 01.12.2025 19:29 Sources 1

About this happening: **ShadyPanda** browser extensions now deliver **hourly remote code execution**, turning trusted add-ons into spyware across **Chrome** and **Edge** and putting **4.3 million insta...

Open Happening

Timeline

  1. 28.11.2025 17:05 2 articles · 6mo ago

    BitSight discloses calendar subscription abuse on expired or hijacked domains

    Initial Disclosure

    BitSight disclosed that threat actors are abusing digital calendar subscription infrastructure on expired or hijacked domains to trick users into subscribing to notifications and then deliver harmful calendar files, including URLs or attachments, through subscribed .ics files. The research says the abuse can support phishing, malware distribution, JavaScript execution, and other calendar-based social engineering, and it does not indicate a vulnerability in Google Calendar or iCalendar because the risk comes from third-party calendar subscriptions.

    Show sources
    Open in new tab