Once again, phishers are targeting PayPal users by abusing existing legitimate infrastructure. Only this time they’re not abusing PayPal’s platform, but iCloud Calendar invites.
Our friends over at BleepingComputer unraveled a call-back phishing scam which was sent to one of their readers.
“Pedro McCarthy invited you to ‘Purchase Invoice’.
Purchase Invoice
Hello Customer,
Your PayPal account has been billed $599.00
We’re confirming receipt of your recent payment. Below are the details:
Invoice ID: AFER13VDDate: AUG 28, 2025
Amount: USD 599.00
If you wish to discuss or make changes to this payment, please contact our support team at +1 +1 (786) 902 8579”
The sender email address shows as [email protected] which helps it pass every imaginable email security check since it actually came from an Apple server. This happens because it is an iCloud Calendar invite, with the phishing text written in the “Notes” field.
To the recipient it shows a Microsoft 365 account controlled by the phishers. When creating such an iCloud Calendar event with external people added to the invite, an email is sent from Apple’s servers from the iCloud Calendar owner’s name with the email address [email protected].
The Microsoft 365 account is very likely a mailing list holding the email addresses of the targets in this campaign. This method allows the phishers to use the Microsoft Sender Rewriting Scheme (SRS), a technical method used to make email forwarding work smoothly without breaking anti-spoofing protections.
Because the rewritten sender address now belongs to the forwarding domain (e.g., Microsoft 365) it doesn’t trigger any alarms. Meanwhile, the “From” address you see in your email program remains the same as the original sender, so the email looks legitimate to the recipient—especially when that address belongs to Apple.
A call-back phishing campaign is usually set up to entrap targets that decide to call the number listed in the invitation. They’ll be asked to download something under false pretences, which often turns out to be a remote desktop client or information-stealing malware—which will then be used to drain all your accounts.
How to stay safe
Don’t be fooled by the legitimate sender email address. Besides spoofing a sender email address, criminals are finding other ways to abuse big tech infrastructure and make it look as if an email came from a legitimate company.
The email has many of the usual signs of a phishing mail:
- Urgency is imposed by a large amount being billed
- Generic greetings: “Hello customer” and not your name.
- The receiver’s email address is not yours.
- The spelling error in the phone number (twice the +1)
What you can do:
- Always search phone numbers and email addresses to look for associations with known scams.
- Login directly to PayPal.com to see if there are any messages in your account.
- Enable two-factor authentication (2FA) on your Paypal account to add an extra layer of security to your financial accounts and help prevent scammers getting in.
- Report suspicious emails and phishing emails to [email protected]. Then delete them.
We don’t just report on scams—we help detect them
Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!
Source link
