A new phishing trend is exploiting calendar invites to deliver scams that look routine on the surface but are designed to steal information or plant malware. We’ll explain why cyber criminals are taking this approach and how you can protect yourself as we sit down and sync up with Rocket IT’s weekly technology update.

In this episode, you’ll hear more about:

• How Apple calendar invites are being turned into phishing scams.
• Why this approach can sneak past the filters that normally catch bad emails.
• What security researchers uncovered in their latest investigation.
• The kinds of tricks scammers use once the invite lands.
• Steps you can take to spot these scams before they do damage.

Video Transcript

Traditionally, the art of email phishing relies on spoofed addresses, look-alike domains, and hijacked accounts. But in recent years, spam filters have gotten good at blocking those attempts, and would-be victims know the signs to watch for. So, like others in tech, hackers have innovated.

Recently, security researchers have seen a rise in fake calendar invites. Rather than pretending to be a trusted sender, scammers piggyback on one. Instead of sending a sketchy-looking email, scammers create a calendar event and let a trusted service deliver it for them. In a recent investigation from Bleepingcomputer, Apple’s own mail servers were being used to send iCloud calendar events. Because those messages originate from Apple infrastructure, they pass authentication checks, so the invites are far more likely to land in inboxes. This trust transfer is what gives calendar-invite phishing an edge at the delivery stage. Further testing also revealed that even downstream forwarding didn’t always trip alarms because mail routing preserved authentication, keeping the messages looking legitimate end-to-end.

Also, another important item to note here is that, although Bleepingcomputer’s research only covered invites sent via iCloud, similar attacks have also become popular with other apps, like Outlook.

Now, you might be wondering what the goal for scammers is here, and it varies with the lure. Some messages try to nudge you into clicking a link, opening an attachment, installing remote-access software, or verifying credentials. Regardless, the goal is the same. Cyber criminals either want to steal logins and data on personal accounts or gain a foothold on business devices to move laterally, plant malware, and set up ransomware.

So, what should you watch for? Treat out-of-the-blue invites with caution, especially if the event notes contain unusual instructions, attachments, or phone numbers. Legitimate meetings typically come from people you know, reference real projects, and don’t pressure you to act immediately. If you didn’t expect it, verify through a known channel before you click, download, or respond.

As phishing continues to move beyond traditional email, it’s important your defenses factor in both people and processes. Rocket IT works with organization to secure mail settings, fine tune authentication policies, and run ongoing awareness training for your team. For help, reach out using the link in this video’s description, and don’t forget to hit subscribe and tap the bell to catch next week’s episode of Sync Up.