Scammers are exploiting Apple’s iCloud Calendar feature to send phishing emails that appear to come directly from Apple’s own servers.
According to Bleeping Computer, a new phishing campaign is using iCloud Calendar invites to send fraudulent emails that appear to come from Apple’s legitimate email infrastructure. The scam emails, disguised as PayPal payment confirmations, are being sent from noreply@email.apple.com and pass authentication checks like SPF, DKIM, and DMARC, making them more likely to reach recipients' inboxes without being flagged as spam.
The emails urge recipients to call a fake support number to dispute a $599 charge, a typical callback phishing tactic designed to induce panic and encourage engagement.
The phishing messages were embedded in the Notes section of iCloud Calendar invites. Once the invite is created and external users are added, Apple automatically sends an invitation email on behalf of the iCloud Calendar user, using the trusted Apple domain.
In this case, scammers targeted a Microsoft 365 email account, likely configured as a mailing list that forwards messages to multiple recipients. Because the message originates from Apple’s infrastructure, it appears trustworthy. When Microsoft 365 forwards the email, it uses the Sender Rewriting Scheme (SRS) to modify the return path so the email passes security checks on the recipient’s end.
This combination of Apple’s legitimate infrastructure and Microsoft’s SRS behavior helps the phishing email bypass many traditional email security filters.
Apple has not responded to requests for comment on the abuse of its iCloud Calendar system. However, security experts warn that users should be cautious of unsolicited calendar invites, especially those containing unusual messages, requests for callbacks, or financial information.
BleepingComputer confirmed that the phishing emails came directly from Apple’s mail servers and matched authentication parameters used by legitimate Apple communications.
The phishing email is sent through Apple’s own mail servers and passes authentication protocols (SPF, DKIM, DMARC), making it appear legitimate to most spam filters.
SRS is a method used by services like Microsoft 365 to rewrite the return path of forwarded emails so they still pass SPF checks after being relayed.
Scammers insert their message in the Notes field of a calendar invite and invite external users. The invite then gets emailed directly from the provider’s trusted domain, like Apple’s.
Yes. In iCloud and some email clients, you can adjust settings to only receive calendar invites from known contacts or require approval before adding to your calendar.
Do not interact with the content. Delete the invite and report it through your email provider’s phishing or spam reporting tools. Avoid calling any phone numbers listed.