Overview

• The campaign uses iCloud Calendar invites that appear to come from noreply@email.apple.com, passing SPF, DKIM and DMARC because they are generated on Apple infrastructure.
• Phishing text is embedded in the invite’s Notes field and claims a $599 PayPal charge with a support number to call, a setup typical of telephone-first scams that seek remote access or data theft.
• Attackers invite a Microsoft 365 address likely configured as a mailing list, causing the messages to be auto-forwarded to targets while preserving a trustworthy-looking From address.
• Microsoft’s Sender Rewriting Scheme rewrites the return-path on forwarded invites so SPF still validates, with examples showing rewritten onmicrosoft.com bounce addresses.
• BleepingComputer first detailed the tactic and Malwarebytes corroborated it; reporters said Apple had not responded to requests for comment, and user guidance stresses verifying charges directly and reporting phishing to PayPal.