Opening the bottle and the breach
Pour yourself a glass of whiskey because this is exactly the kind of low effort, high impact move that keeps happening while security teams chase the next shiny thing. The iCloud Calendar invites are being abused to deliver callback phishing emails directly from Apple’s servers, making them look legitimate enough to bypass spam filters and land in the inboxes of unsuspecting users. Yes, the attackers are riding the trust people have in Apple and calendar invites like it is a security feature.
The details that actually matter
From the report we skimmed between the vendor press releases, this technique leverages calendar events that trigger emails, rather than relying solely on malicious attachments or fake login pages. The user sees something that resembles a legitimate Apple notification, clicks through, and somehow believes that an invite to purchase something from Apple warrants immediate action. The result is a higher chance that the email makes its way past basic filtering because it comes from a trusted domain and blends with regular calendar traffic.
Why this keeps happening
Because vendors sell convenience first and security second, and CISOs nod along with budgets that favor features over training. Because end users are conditioned to trust the brand in the subject line more than their own common sense. Because calendar invitations are treated as safe by default regardless of the actual risk. This is not a brand or platform failure so much as a fundamental gap in how organizations handle user education, email authentication, and monitoring for calendar abuse.
What you can do before the next bar tab question
Start with the basics that never seem basic enough. Enforce strict DMARC, DKIM, and SPF alignment so that calendars cannot impersonate the brand you actually use. Disable automatic accepting of calendar invites from unknown senders, and require manual review for invites with downloadable content or links. Train users with realistic phishing simulations that involve calendar invites. Implement monitoring rules for calendar events that attempt to exfiltrate credentials or direct users to external sites. And yes, include calendar abuse scenarios in your incident response playbooks, because you know there will be a time you need to respond to a calendar-based social engineering attack while you are on your fifth whiskey.
For the full details, read the original article here: iCloud Calendar abused to send phishing emails from Apple’s servers
