CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Phishing Campaign Abuses iCloud Calendar to Send Emails from Apple Servers

First reported
Last updated
1 unique sources, 2 articles

Summary

Hide ▲

A phishing campaign continues to abuse Apple’s legitimate infrastructure to deliver callback phishing emails, now exploiting Apple account change notifications to embed fake purchase alerts. Scammers insert phishing text into Apple ID personal information fields, which Apple includes in security alerts sent to users. The emails originate from Apple’s servers ([email protected]), pass SPF, DKIM, and DMARC checks, and are distributed via Apple’s mailing infrastructure, bypassing spam filters and increasing legitimacy. The emails mimic iPhone purchase notifications via PayPal, claiming charges of $899, and prompt recipients to call a provided number to cancel the transaction. These scams aim to trick victims into granting remote access to their computers, enabling theft of funds, deployment of malware, or data theft. The campaign represents an evolution of prior tactics that abused iCloud Calendar invites to send phishing emails from Apple’s servers. Users are advised to treat unexpected account alerts—especially those claiming unauthorized purchases or urging calls to support numbers—with caution, particularly if they did not initiate recent changes.

Timeline

  1. 07.09.2025 20:10 2 articles · 7mo ago

    Phishing Campaign Abuses iCloud Calendar to Send Emails from Apple Servers

    A phishing campaign abuses Apple’s legitimate account change notification system to embed phishing lures in Apple security alerts. Scammers insert scam text into the first and last name fields of an Apple ID, which Apple includes in account change notifications. The emails are sent from Apple’s infrastructure using [email protected] and pass SPF, DKIM, and DMARC authentication checks, increasing legitimacy and bypassing spam filters. The phishing messages mimic iPhone purchase alerts via PayPal, claiming charges of $899, and prompt recipients to call a provided number to cancel the transaction. The emails are initially sent to an iCloud address controlled by the attacker before being relayed to targets via a mailing list. This method represents an evolution of prior iCloud Calendar-based phishing tactics, aiming to deceive recipients into granting remote access to their computers for financial theft, malware deployment, or data theft.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

FBI Warns of $262M Stolen in Account Takeover Fraud Schemes

Since January 2025, cybercriminals impersonating bank support teams have stolen over $262 million through account takeover (ATO) fraud schemes. The FBI's Internet Crime Complaint Center (IC3) has received over 5,100 complaints, affecting individuals and businesses across various sectors. Criminals gain unauthorized access to online financial accounts using social engineering techniques or fraudulent websites. Once in control, they wire funds to crypto wallets and often change account passwords, making recovery difficult. The FBI advises monitoring financial accounts, using strong passwords, enabling MFA, and avoiding search results for banking websites. Victims are urged to contact their financial institutions immediately and file complaints with the IC3. Recent reports highlight the growing use of AI-powered phishing campaigns, SEO poisoning, and exploitation of e-commerce vulnerabilities, particularly ahead of the holiday season. Additionally, purchase scams and mobile phishing (mishing) sites have seen a significant increase, leveraging trusted brand names to deceive users. The U.S. Justice Department (DoJ) has seized the fraud domain web3adspanels[.]org, which was used to host and manipulate illegally harvested bank login credentials. The scheme targeted 19 victims across the U.S., including two companies in the Northern District of Georgia, with attempted losses of approximately $28 million and actual losses of approximately $14.6 million. The confiscated domain stored the stolen login credentials of thousands of victims and hosted a backend server to facilitate takeover fraud as recently as November 2025. The FBI and Estonian law enforcement collaborated in this seizure, and the domain now displays a law enforcement banner indicating it is under the control of authorities. No arrests have been made yet, but the investigation may reveal clues leading to the operators.

Open in new tab

Phishing campaign targets LastPass and Bitwarden users to install remote access tools

A phishing campaign is targeting LastPass and Bitwarden users with fake breach alerts. The emails urge recipients to download a supposedly more secure desktop version of the password manager, which installs Syncro, an RMM tool, and ScreenConnect remote support software. The campaign began over the Columbus Day holiday weekend, exploiting reduced staffing. LastPass has confirmed it has not been hacked and is actively working to mitigate the phishing campaign. The phishing emails are well-crafted and claim to address vulnerabilities in older .exe installations, urging users to update to a more secure MSI format. The threat actors use domains like 'lastpasspulse[.]blog' and 'bitwardenbroadcast[.]blog' to send these emails. The malware installs Syncro and ScreenConnect, allowing the threat actors to remotely access the compromised endpoints, deploy further malware, and steal data. The phishing emails use the subject line 'We Have Been Hacked - Update Your LastPass Desktop App to Maintain Vault Security' and are sent from email addresses like hello@lastpasspulse[.]blog or hello@lastpassgazette[.]blog. The phishing site is hosted at lastpassdesktop[.]com or lastpassgazette[.]blog, and another URL, lastpassdesktop[.]app, has been registered by the threat actor for potential future use.

Open in new tab

Spear-Phishing Campaign Targets Social Media and Marketing Professionals with Fake Job Offers

A spear-phishing campaign targets social media and marketing professionals with fake job offers from Tesla, Red Bull, and Ferrari. The campaign, tracked since February 2025, uses spoofed emails and fake landing pages to steal personal information. The attackers request resumes and login credentials, aiming to harvest personal data for future attacks. The phishing emails mimic legitimate recruitment practices, using brand logos and tailored URLs to appear credible. The campaign includes multi-step processes to create an illusion of legitimacy, including CAPTCHA pages and fake Glassdoor or Facebook login pages.

Open in new tab

Increased Browser-Based Attacks Targeting Business Applications

Browser-based attacks targeting business applications have surged, exploiting modern work practices and decentralized internet apps. These attacks, including phishing, malicious OAuth integrations, and browser extensions, compromise business apps and data by targeting users. The attacks leverage various delivery channels and evasion techniques, making them difficult to detect and block. Phishing attacks have evolved to use non-email channels such as social media, instant messaging apps, and malicious search engine ads. These attacks often bypass traditional email security controls and are harder to detect. Attackers exploit the decentralized nature of modern work environments, targeting users across multiple apps and communication channels. Non-email phishing attacks can result in significant breaches, as seen in the 2023 Okta breach. The rise in these attacks highlights the need for enhanced browser security measures and better visibility into user activities within the browser.

Open in new tab

Axios and Direct Send Abuse in Microsoft 365 Phishing Campaigns

Threat actors are exploiting HTTP client tools like Axios and Microsoft's Direct Send feature to create highly efficient phishing campaigns targeting Microsoft 365 environments. These attacks, which began in July 2025, initially targeted executives and managers in finance, healthcare, and manufacturing sectors, but have since expanded to all users. The campaigns use compensation-themed lures to trick recipients into revealing credentials and bypassing multi-factor authentication (MFA). The abuse of Axios has surged, accounting for 24.44% of all flagged user agent activity from June to August 2025. The attacks leverage Axios to intercept, modify, and replay HTTP requests, capturing session tokens or MFA codes in real-time. This method allows attackers to bypass traditional security defenses and conduct phishing operations at an unprecedented scale. Additionally, a phishing-as-a-service (PhaaS) offering called Salty 2FA has been discovered, which steals Microsoft login credentials and sidesteps MFA by simulating various authentication methods. Salty 2FA uses advanced features such as subdomain rotation, dynamic corporate branding, and sophisticated evasion tactics to enhance its phishing campaigns. It also abuses legitimate platforms to stage initial attacks and uses Cloudflare Turnstile for secure CAPTCHA replacement. Salty2FA campaigns have been active since late July 2025 and continue to this day, generating dozens of fresh analysis sessions daily. The campaigns target industries including finance, healthcare, government, logistics, energy, IT consulting, education, construction, telecom, chemicals, industrial manufacturing, real estate, and consulting. The Sneaky 2FA phishing kit has incorporated Browser-in-the-Browser (BitB) functionality to mimic browser address bars and pop-up login forms. This kit uses Cloudflare Turnstile checks to prevent security tools from accessing phishing pages and employs conditional loading techniques to ensure only intended targets can access them. The phishing domains are quickly rotated to minimize detection, and the kit uses obfuscation and disables browser developer tools to resist analysis. Sneaky2FA is a widely used PhaaS platform alongside Tycoon2FA and Mamba2FA, all targeting primarily Microsoft 365 accounts. The kit uses SVG-based attacks and attacker-in-the-middle (AitM) tactics, where the authentication process is proxied to the legitimate service through a phishing page that relays valid session tokens to the attackers. Sneaky2FA has added a BitB pop-up that mimics a legitimate Microsoft login window, adjusting dynamically to the victim’s OS and browser. An attacker stealing credentials and active session tokens can authenticate to the victim’s account, even when the two-factor authentication (2FA) protection is active.

Open in new tab