Phishing through the iCloud calendar: this is the most sophisticated scam affecting Apple users

During the second week of September 2025, a wave of scams and cyberattacks exploiting Apple's iCloud calendar was detected, with an alarming spike in malicious invitations and event notifications that simulate payments, cryptocurrency raffles or false invoices. These attacks take advantage of the legitimacy of calendar invitations — which come from real Apple servers — to evade spam filters and deceive even the most cautious users, affecting both individuals and companies on a global scale.

‍

How does the iCloud calendar scam work?

• Cybercriminals send calendar invitations via iCloud — either by email or directly as an event — using authentic addresses such as noreply@email.apple.com.
• The event includes alert messages simulating purchases on PayPal, winners of cryptocurrency raffles or urgent notifications (“your account has been billed $599”, “check your wallet”, “call support”).
• Fraudulent content is usually in the notes section or as embedded links that lead to phishing pages or request to call fake support numbers; once the user calls or interacts, scammers attempt to obtain credentials, install malware, or perform direct balance theft.
• These invitations bypass authentication controls such as SPF, DKIM or DMARC and overcome classic spam filters, since they travel through legitimate Apple servers and are often forwarded using Microsoft 365 lists, achieving even greater fraudulent distribution.

‍

Cryptocurrency-Related Scams: The New Trend

• Most recent campaigns include issues related to crypto investments, commission refunds, blocked wallet alerts, or false sweepstakes promising quick profits.
• Click on the event link and you may end up on a website that simulates a wallet to “claim” the prize, but that actually steals your keys or funds, with millions of dollars reported according to the latest summary from 9to5Mac and Forbes.
• Cybersecurity experts warn that attacks are selective and customizable, making alerts sound credible: criminals use public information and filtered databases to refine their message.

‍

Why are these attacks so effective?

• They use legitimate resources: invitations come from official servers, creating trust in unsuspecting users.
• They overcome classic filters: they are not detected as spam or malware, and events appear automatically if the option is activated.
• High degree of personalization: scammers can include the user's name, references to known services, or details taken from recent public data breaches, increasing the effectiveness of the deception.

‍

Recommendations for Apple and iCloud Calendar users

• Check your calendar: eliminate any suspicious events that you didn't create, and avoid interacting with unknown links or phone numbers.
• Disable the self-acceptance of invitations to iCloud events in your account settings.
• Never call “support” numbers or verify data outside official Apple channels.
• Report fraudulent events using the Report Junk option on iCloud.com.
• Reinforce your accounts with two-factor authentication and frequently monitor your devices for any unusual warning.

‍

🛡️ Check your security audit with Apolo Cybersecurity and protect your accounts and employees

The spike in phishing campaigns through the iCloud calendar demonstrates how attackers can take advantage of their own legitimate platforms to overcome trust and security filters. Always check the source of any unexpected event, and if you have questions, consult official support. Training and prevention remain the best shield for Apple users and businesses.

Do you want to shield your organization from increasingly sophisticated phishing campaigns?

‍