Threat Actors Exploit Calendar Subscriptions for Phishing and Malware Delivery
Summary
Hide ▲
Show ▼
Threat actors are manipulating digital calendar subscription infrastructure to deliver phishing and malware. They exploit expired or hijacked domains to set up deceptive infrastructures, tricking users into subscribing to malicious notifications. Once subscribed, attackers can deliver harmful content, including URLs or attachments, leading to phishing, malware distribution, and even JavaScript execution. BitSight's research uncovered 347 suspicious calendar domains, with approximately four million unique IP addresses per day interacting with these domains, primarily in the US.
Timeline
-
28.11.2025 17:05 1 articles · 23h ago
BitSight Research Uncovers 347 Suspicious Calendar Domains
BitSight's research began with a single sinkholed domain related to German public and school holiday events, which recorded 11,000 unique IP addresses per day. The investigation expanded to uncover 347 additional suspicious calendar domains, with approximately four million unique IP addresses interacting with them daily. The highest geographic concentration of interactions was in the US. The research identified two types of sync requests, suggesting that these were background sync requests from previously subscribed calendars, allowing attackers to deliver customized malicious calendar .ics files.
Show sources
- Threat Actors Exploit Calendar Subscriptions for Phishing and Malware Delivery — www.infosecurity-magazine.com — 28.11.2025 17:05
Information Snippets
-
Calendar subscriptions allow third-party servers to add events directly to devices, which threat actors exploit for malicious purposes.
First reported: 28.11.2025 17:051 source, 1 articleShow sources
- Threat Actors Exploit Calendar Subscriptions for Phishing and Malware Delivery — www.infosecurity-magazine.com — 28.11.2025 17:05
-
Malicious calendar subscriptions are often hosted on expired or hijacked domains, facilitating large-scale social engineering.
First reported: 28.11.2025 17:051 source, 1 articleShow sources
- Threat Actors Exploit Calendar Subscriptions for Phishing and Malware Delivery — www.infosecurity-magazine.com — 28.11.2025 17:05
-
BitSight's research identified 347 suspicious calendar domains, with four million unique IP addresses interacting with them daily.
First reported: 28.11.2025 17:051 source, 1 articleShow sources
- Threat Actors Exploit Calendar Subscriptions for Phishing and Malware Delivery — www.infosecurity-magazine.com — 28.11.2025 17:05
-
The highest geographic concentration of interactions with these domains was in the US.
First reported: 28.11.2025 17:051 source, 1 articleShow sources
- Threat Actors Exploit Calendar Subscriptions for Phishing and Malware Delivery — www.infosecurity-magazine.com — 28.11.2025 17:05
-
The research suggests that attackers can respond with customized calendar .ics files to previously subscribed calendars, adding malicious events.
First reported: 28.11.2025 17:051 source, 1 articleShow sources
- Threat Actors Exploit Calendar Subscriptions for Phishing and Malware Delivery — www.infosecurity-magazine.com — 28.11.2025 17:05
-
The risks include phishing, malware distribution, JavaScript execution, and innovative attacks exploiting emerging technologies like AI assistants.
First reported: 28.11.2025 17:051 source, 1 articleShow sources
- Threat Actors Exploit Calendar Subscriptions for Phishing and Malware Delivery — www.infosecurity-magazine.com — 28.11.2025 17:05