Threat Alert: iCLOUD CALENDAR PHISHING

• Threat actors leveraging legitimate Apple iCloud Calendar infrastructure to deliver malicious content to end users.
• Phishing messages claiming that there is a large charge to the recipient’s account come from [email protected].
• This combination of TOAD attacks and invite abuse is relatively unusual.

How is it used in the wild?

• When a calendar invite is created through iCloud Calendar, an email is sent to anyone who is invited to notify them of the event. The email is sent via Apple’s servers and has the sender [email protected].
• Threat actors utilize the Notes field of the calendar invite to send a message spoofing PayPal, claiming that a large charge has been made to the recipient’s account and including a phishing message with a callback number. The intent is to conduct a Telephone Oriented Attack Delivery (TOAD) attack by tricking recipients into calling the number for support.
• In general, these types of attacks lead to the installation of a remote management and monitoring (RMM) tool.
  

Key Action: Stay Alert!

• Avoid interacting with calendar invites, especially if unexpected and from unknown senders.
• Scrutinize unsolicited messages purporting to originate from a business and that prompt users to call a phone number.  If you need to call the business, look up their number on the organization's website
• Avoid interacting with links or attachments in unsolicited email.
• Report ANY suspicious emails via Phish Alarm.