Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Redazione RHC : 1 December 2025 11:01
Digital calendars have long been a convenient way to keep track of daily activities, but new research from Bitsight shows that this familiar tool can become a real attack channel.
Bitsight researchers discovered over 390 abandoned domains associated with iCalendar sync , which received daily requests from approximately 4 million iOS and macOS devices. Anyone who re-registers these domains gains the ability to stealthily add events to users’ calendars, complete with links, files, and any other content.
The problem is that third-party calendar subscriptions are typically created with a single click, for holidays, event calendars, discounts, or app reminders . But this convenience also comes with risks: attackers can create an infrastructure that tricks users into subscribing to their “updates.”
From that point on, the device automatically begins accessing the domain regularly, without the owner’s intervention, receiving new .ics files. If the domain is re-registered by cybercriminals, the calendar begins displaying intrusive reminders, phishing links, fake antivirus or VPN notifications—anything that might entice the victim to click.
Experts discovered hundreds of such domains, many of which were linked to millions of unique IP addresses. The requests clearly came not from new subscriptions, but from old, forgotten calendars, such as those with holidays in various countries. Simply hijacking the domain would have immediately created a “distribution channel” for a huge number of devices.
At the same time, Bitsight discovered an entire infrastructure designed to mass-distribute malicious subscriptions: hacked websites secretly loaded obfuscated scripts that redirected visitors to fake CAPTCHA pages . There, victims were tricked into clicking “Allow ,” supposedly to pass a verification process, but in reality, this directly activated a subscription to push notifications or calendar events. These redirect chains often used .biz and .bid domains and were linked to the infamous Balada Injector malware campaign.
This wasn’t the only scheme. Researchers found APK files and PDF documents leading to the same chains . Android apps disguised themselves as games, disappeared upon launch, and opened the desired URLs via WebView . PDF files contained tiny URLs leading to the same fake pages. The entire infrastructure was well-organized: dozens of hosting services, hundreds of domains, thousands of APKs, shared certificates, and an interconnected network of redirects.
Despite the scale of the problem, protection is virtually nonexistent. MDM solutions can’t prevent users from adding their own subscriptions or even viewing existing ones . Scanning, filtering, and antivirus analysis are all well-developed for email, but they’re virtually non-existent for calendars, which are perceived as a supposedly secure tool.
Bitsight recommends that users and businesses regularly review active subscriptions, treat links and attachments in events with the same caution as emails, implement a policy for the use of third-party calendars, and, where possible, block suspicious subscriptions at the network level . But the most important measure is to raise awareness: a calendar is not just a convenient tool, but another potential attack vector actively exploited by cybercriminals today. Understanding social engineering techniques will help counter these threats.
Redazione