Cybercriminals are exploiting iCloud Calendar's invitation system to distribute fraudulent emails that appear to originate directly from Apple's official servers. These messages mimic PayPal purchase notifications, falsely informing recipients of a $599 charge and urging them to call a provided support number to dispute the transaction. The emails are crafted to create a sense of urgency and fear, convincing victims they have been hacked.
The scam operates by abusing the calendar event feature, where attackers insert phishing text into the event notes and send an invite to a controlled Microsoft 365 account. This account is configured as a mailing list that automatically forwards the message to a broader list of targets. Because the initial email is sent from Apple’s legitimate noreply@email.apple.com address, it passes standard email authentication checks like SPF, DKIM, and DMARC.
When the message is forwarded through Microsoft 365, the Sender Rewriting Scheme (SRS) ensures it continues to pass security protocols, further enhancing its legitimacy. This technique allows the phishing attempt to evade spam filters more effectively by leveraging Apple's trusted domain. Recipients are advised to treat unexpected calendar invitations containing suspicious messages with extreme caution, as they may be part of a sophisticated social engineering attack.
Read more...