Apple’s trusted iCloud Calendar is being misused by cybercriminals to push a new phishing scam, according to a report published on September 7, 2025. The attackers are sending fake calendar invites that appear to come directly from Apple’s servers, making them difficult to spot as fraudulent.

How the Scam Works

Victims receive an unexpected iCloud Calendar invite that looks like an official payment receipt from PayPal. The invite includes a “support” phone number, urging the recipient to call if they didn’t authorize the payment. Once on the phone, the scammer convinces the victim to install remote-access software, giving them direct entry into the device. From there, attackers can steal banking details, access emails, and compromise personal data.

Why It Bypasses Email Filters

This phishing method is especially dangerous because the invites are sent through noreply@email.apple.com, a legitimate Apple address. The messages pass standard authentication checks like SPF, DKIM, and DMARC, which usually protect users from spoofed emails.

• SPF → Sender Policy Framework
  A protocol that helps verify if an email is sent from an authorized mail server for a domain.
• DKIM → DomainKeys Identified Mail
  Uses cryptographic signatures to ensure the email hasn’t been tampered with in transit and that it really comes from the claimed domain.
• DMARC → Domain-based Message Authentication, Reporting, and Conformance
  A policy layer that tells receiving mail servers what to do (accept, reject, or quarantine) if an email fails SPF or DKIM checks.

To spread the scam further, attackers use Microsoft 365 mailing lists they control. When the invites are forwarded, Microsoft’s Sender Rewriting Scheme (SRS) ensures they still appear authentic and continue to pass security checks.

The combination of a real Apple domain, valid authentication, and a well-known brand like PayPal makes the scam appear credible. Many users may panic at the sight of a supposed payment and quickly follow the instructions, unknowingly giving criminals control of their systems. 

How to Stay Safe

• Don’t accept or respond to suspicious calendar invites.
• Never call phone numbers listed in unsolicited emails or invites.
• Avoid installing software based on instructions from unknown callers.
• Always confirm payments directly through the official PayPal or Apple websites.
• Use two-factor authentication and keep antivirus tools updated.

Key Takeaways

• Phishing campaigns are now exploiting calendar services, not just email.
• Even trusted brands like Apple can be abused to spread scams.
• User awareness is the strongest defense against such attacks.

Quick FAQs

Q1. How do iCloud Calendar phishing emails bypass spam filters?
They are sent directly through Apple’s servers, making them pass SPF, DKIM, and DMARC checks.

Q2. What happens if I call the “support” number?
You’ll be tricked into installing remote-access software, giving hackers full control of your device.

Q3. How can I avoid such scams?
Don’t trust unsolicited invites, verify transactions on the official website, and enable 2FA for accounts.