AlertsArticlesNews

Phishers Target Apple Calendar Users With Invites Mimicking Billing Alerts

Threat actors are using iCloud Calendar events to deliver fake payment notices that can trick healthcare employees into giving attackers access to hospital systems.

MRAdmin
By
mradmin
2 Min Read

As first reported by Bleeping Computer, A newly uncovered phishing campaign is leveraging iCloud Calendar invites to send deceptive billing messages that appear to originate from Apple’s official servers. One recent example claimed a user’s PayPal account had been charged $599, offering a fake support number to “dispute” the charge. The ultimate aim is to scare recipients into calling and enabling remote access.

Contents
Attack MechanismHealthcare RisksMitigation Tips

Attack Mechanism

For healthcare organizations, this presents a significant risk: the phishing messages—delivered via calendar invites—pass standard authentication checks (SPF, DKIM, DMARC), appearing legitimate and often bypassing email security filters. That means even well-protected hospital inboxes may be exposed.

The phishing content is embedded in the Notes section of the calendar event and sent from noreply@email.apple.com. It targets Microsoft 365 addresses that appear to be mailing lists, ensuring broad exposure across staff groups. Microsoft’s Sender Rewriting Scheme (SRS) masks the forwarding mechanism, letting the spoofed message maintain authenticity checks even after distribution.

Healthcare Risks

Upon calling the fake number, users are urged to download remote access tools—ostensibly for refund processing. But once inside, attackers can steal PHI, access medical billing systems, or move laterally across clinical networks.

Because healthcare workers often deal with billing notifications, appointment reminders, and account confirmations, this type of phishing attack can blend into normal workflows—making it particularly effective in hospital and clinical settings.

Mitigation Tips

Healthcare security teams should immediately alert staff to this new vector and flag calendar invites containing billing information as suspicious. Endpoint detection systems should monitor for unauthorized remote access tool installations. Additionally, consider restricting calendar invite forwarding or external invites from unknown sources. In high-risk environments like hospitals, even a calendar invite can be a trojan horse.

VIA:bleepingcomputer.com
Share This Article
Previous Article SAP S/4HANA Flaw Exploited in Attacks, Posing Risks to Healthcare Operations
Next Article Healthcare Systems on Alert as Cisco ASA Scans Surge, Hinting at New Vulnerabilities
- Advertisement -

You May also Like

AlertsNews

Workday Discloses Data Breach Tied to Ongoing Salesforce Social Engineering Attacks

AlertsNews

Healthcare Services Group Breach Exposes Data of Over 600,000 Individuals

Articles

The Impersonation Threat: Why Identity Verification Must Go Beyond Human Judgment

NewsSpotlight

Ransomware Attack on NHS-Linked Provider Contributed to Patient Death, Prompting Urgent Calls for Cybersecurity Reform

Show More