iCloud Calendar invites are being abused to send callback phishing emails disguised as purchase notifications directly from Apple’s email servers, making them more likely to bypass spam filters to land in targets’ inboxes.

Earlier this month, a reader shared an email with BleepingComputer that claimed to be a payment receipt for $599 charged against the recipient’s PayPal account. This email included a phone number if the recipient wanted to discuss the payment or make changes to it.

“Hello Customer, Your PayPal account has been billed $599.00. We’re confirming receipt of your recent payment,” read the email.

“If you wish to discuss or make changes to this payment, please contact our support team at ‪+1 +1 (786) 902-8579. Contact us to cancel ‪+1 (786) 902-8579,” continued the email.

The goal of these emails is to trick recipients into thinking their PayPal account was fraudulently charged to make a purchase and scare the email recipient into calling the scammer’s “support” phone number.

When calling the number, a scammer will try to scare you into thinking your account was hacked or that they need to connect to your computer to initiate a refund, asking you to download and run software.

However, in previous scams like this, this remote access was used to steal money from bank accounts, deploy malware, or steal data from the computer.

Abusing iCloud Calendar invites to send emails

The lure in this email is a typical callback phishing scam, but what was strange was that it was sent from noreply@email.apple.com, passing the SPF, DMARC, and DKIM email security checks, signifying th…