Redazione RHC : 11 September 2025 07:56
It has been discovered that iCloud Calendar invitations have been used to send phishing emails disguised as purchase notifications directly from Apple’s mail servers. This tactic increases the likelihood of bypassing spam filters.
Bleeping Computer reported that earlier this month, a reader shared a malicious email purporting to be a receipt for $599, supposedly charged to their PayPal account. The email included a phone number in case the recipient wanted to mark the payment or make changes.
The purpose of these emails is to trick users into believing that their PayPal account has been hacked and that the funds are being used by scammers to make purchases. Scammers try to scare the email recipient into calling the fake “support” number.
Sponsorizza la prossima Red Hot Cyber Conference!Il giorno Lunedì 18 maggio e martedì 19 maggio 2026 9 maggio 2026, presso il teatro Italia di Roma (a due passi dalla stazione termini e dalla metro B di Piazza Bologna), si terrà la V edizione della la RHC Conference. Si tratta dell’appuntamento annuale gratuito, creato dalla community di RHC, per far accrescere l’interesse verso le tecnologie digitali, l’innovazione digitale e la consapevolezza del rischio informatico. Se sei interessato a sponsorizzare l'evento e a rendere la tua azienda protagonista del più grande evento della Cybersecurity Italiana, non perdere questa opportunità. E ricorda che assieme alla sponsorizzazione della conferenza, incluso nel prezzo, avrai un pacchetto di Branding sul sito di Red Hot Cyber composto da Banner più un numero di articoli che saranno ospitati all'interno del nostro portale. Quindi cosa stai aspettando? Scrivici subito a [email protected] per maggiori informazioni e per accedere al programma sponsor e al media Kit di Red Hot Cyber. 
Se ti piacciono le novità e gli articoli riportati su di Red Hot Cyber, iscriviti immediatamente alla newsletter settimanale per non perdere nessun articolo. La newsletter generalmente viene inviata ai nostri lettori ad inizio settimana, indicativamente di lunedì. |
During the call, scammers continue to intimidate victims, convincing them that their account has actually been hacked. The attackers then offer to remotely connect to the victim’s computer (presumably to return the funds) or ask them to download and run software. Of course, attackers ultimately use the remote access they gain to steal money from the user’s bank accounts, distribute malware, or steal data from the compromised computer.
However, the strange thing about this case was that the fraudulent email came from [email protected], passing all SPF, DMARC, and DKIM security checks. In other words, the message actually came from Apple’s mail server.
Reporters explain that the email was actually an invitation to iCloud Calendar. The attackers simply added phishing text to the Notes field and then sent the invitation to a Microsoft 365 address they controlled. When you create an event in iCloud Calendar and invite external people, an invitation email is sent from Apple servers to (email.apple.com) on behalf of the iCloud Calendar owner. This email comes from [email protected].
Researchers believe this campaign is similar to another scam discovered in the spring of 2025. This is because in both cases, the Microsoft 365 address to which the invitation is sent is actually an email address that automatically forwards all received emails to all other group members.
Because the malicious email originally came from Apple’s mail servers, it would not have passed SPF checks if forwarded to Microsoft 365. To prevent this from happening, Microsoft 365 uses the Sender Rewriting Scheme (SRS) to rewrite the return path to a Microsoft-related address, allowing the message to pass through. controls.
Although the phishing email itself was nothing special,the abuse of the legitimate iCloud Calendar invitation feature and Apple’s email servers helps attackers evade spam filters because the emails appear to come from a trusted source.
Redazione