{“lastseen”:”2025-09-08T14:05:27″,”description”:”Once again, phishers are targeting PayPal users by abusing existing legitimate infrastructure. Only this time they\u2019re not abusing PayPal\u2019s platform, but iCloud Calendar invites.\\n\\nOur friends over at BleepingComputer unraveled a call-back phishing scam which was sent to one of their readers.\\n\\n\\n\\n\\u003e \u201cPedro McCarthy invited you to \u2018Purchase Invoice\u2019.\\n\\u003e \\n\\u003e Purchase Invoice\\n\\u003e \\n\\u003e Hello Customer, \\n\\u003e Your PayPal account has been billed $599.00 \\n\\u003e We\u2019re confirming receipt of your recent payment. Below are the details: \\n\\u003e Invoice ID: AFER13VD\\n\\u003e \\n\\u003e Date: AUG 28, 2025\\n\\u003e \\n\\u003e Amount: USD 599.00\\n\\u003e \\n\\u003e If you wish to discuss or make changes to this payment, please contact our support team at +1 +1 (786) 902 8579\u201d\\n\\nThe sender email address shows as `noreply@email.apple.com` which helps it pass every imaginable email security check since it actually came from an Apple server. This happens because it is an iCloud Calendar invite, with the phishing text written in the \u201cNotes\u201d field.\\n\\nTo the recipient it shows a Microsoft 365 account controlled by the phishers. When creating such an iCloud Calendar event with external people added to the invite, an email is sent from Apple’s servers from the iCloud Calendar owner’s name with the email address `noreply@email.apple.com`.\\n\\nThe Microsoft 365 account is very likely a mailing list holding the email addresses of the targets in this campaign. This method allows the phishers to use the Microsoft Sender Rewriting Scheme (SRS), a technical method used to make email forwarding work smoothly without breaking anti-spoofing protections.\\n\\nBecause the rewritten sender address now belongs to the forwarding domain (e.g., Microsoft 365) it doesn\u2019t trigger any alarms. Meanwhile, the \\”From\\” address you see in your email program remains the same as the original sender, so the email looks legitimate to the recipient\u2014especially when that address belongs to Apple.\\n\\nA call-back phishing campaign is usually set up to entrap targets that decide to call the number listed in the invitation. They\u2019ll be asked to download something under false pretences, which often turns out to be a remote desktop client or information-stealing malware\u2014which will then be used to drain all your accounts.\\n\\n## How to stay safe\\n\\nDon\u2019t be fooled by the legitimate sender email address. Besides spoofing a sender email address, criminals are finding other ways to abuse big tech infrastructure and make it look as if an email came from a legitimate company.\\n\\nThe email has many of the usual signs of a phishing mail:\\n\\n * Urgency is imposed by a large amount being billed\\n * Generic greetings: \u201cHello customer\u201d and not your name.\\n * The receiver\u2019s email address is not yours.\\n * The spelling error in the phone number (twice the +1)\\n\\n\\n\\nWhat you can do:\\n\\n * Always search phone numbers and email addresses to look for associations with known scams.\\n * Login directly to PayPal.com to see if there are any messages in your account.\\n * Enable two-factor authentication (2FA) on your Paypal account to add an extra layer of security to your financial accounts and help prevent scammers getting in.\\n * Report suspicious emails and phishing emails to phishing@paypal.com. Then delete them.\\n\\n\\n\\n* * *\\n\\n**We don ‘t just report on scams\u2014we help detect them**\\n\\nCybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we\u2019ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!”,”published”:”2025-09-08T12:47:47″,”modified”:”2025-09-08T12:47:47″,”type”:”malwarebytes”,”title”:”iCloud Calendar infrastructure abused in PayPal phishing campaign”,”source”:””,”references”:””,”id”:”MALWAREBYTES:19BD76B9C9DCE9B7975F7B730AE5BDF1″,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.malwarebytes.com\/blog\/news\/2025\/09\/icloud-calendar-infrastructure-abused-in-paypal-phishing-campaign”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-09-08T14:05:27″,”description”:”Once again, phishers are targeting PayPal users by abusing existing legitimate infrastructure. Only this time they\u2019re not abusing PayPal\u2019s platform, but iCloud Calendar invites.\\n\\nOur friends…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,115,13,33,7,11,5],"class_list":["post-16384","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-malwarebytes","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n