4 Million iOS Users at Risk: Abandoned Domains Weaponized for iCalendar Phishing
Digital calendars have long been a convenient way to stay organized amid daily routines, yet new research from Bitsight reveals that this familiar tool can be transformed into a fully fledged attack vector. Bitsight analysts identified more than 390 abandoned domains associated with iCalendar synchronization, receiving daily requests from roughly 4 million iOS and macOS devices. Anyone who re-registers such a domain gains the ability to surreptitiously inject calendar events into users’ schedules — complete with links, files, and any other content of their choosing.
The issue lies in how easily users subscribe to third-party calendars — often with a single click, whether for holiday schedules, event timetables, sales, or app-generated reminders. With this convenience comes substantial risk: attackers can craft infrastructure designed to trick users into subscribing to their “updates.” From that moment on, the device, without the owner’s involvement, automatically fetches new .ics files from the domain. If cybercriminals have re-registered it, the calendar becomes a delivery channel for intrusive reminders, phishing links, fake antivirus or VPN alerts — anything likely to provoke a click.
Researchers discovered hundreds of such domains, many interacting with millions of unique IP addresses. These requests originated not from new subscriptions but from long-forgotten calendars — for instance, holiday feeds for various countries. Simply seizing control of a domain instantly grants access to an enormous distribution channel across countless devices.
Bitsight also uncovered an entire infrastructure designed to mass-propagate malicious subscriptions: compromised websites covertly loaded obfuscated scripts that redirected visitors to counterfeit CAPTCHA pages. There, users were urged to click “Allow” to supposedly pass verification — in reality activating subscriptions to push notifications or calendar events. These redirect chains frequently relied on .biz and .bid domains and were linked to the well-known Balada Injector malware campaign.
This was not the only distribution mechanism. Researchers identified APK files and PDFs leading to the same redirection chains. Android apps masqueraded as games, hid themselves after launch, and opened targeted URLs via WebView. The PDFs contained tinyurl links pointing to the same fraudulent pages. The entire infrastructure was meticulously organized: dozens of hosting providers, hundreds of domains, thousands of APKs, unified certificates, and a tightly interconnected web of redirects.
The monetization model proved equally straightforward. Advertising platforms already exist that sell “calendar placement” — allowing buyers to display events directly on users’ devices, promoting VPNs, games, or various services. Such entries appear as ordinary reminders, and the target audience — iOS users — is considered highly profitable. Attackers actively deploy phishing techniques to disseminate these schemes.
Despite the scale of the problem, defenses are minimal. MDM solutions cannot prevent users from adding their own subscriptions, nor can they easily audit existing ones. The checks, filters, and antivirus heuristics developed for email scarcely exist for calendars, which are still perceived as inherently safe tools.
Bitsight recommends that users and organizations regularly review active subscriptions, treat links and attachments in calendar events with the same caution applied to email, establish policies for third-party calendar usage, and, when possible, block suspicious subscriptions at the network level. But the most crucial measure is awareness: a calendar is not merely a convenient utility, but yet another potential attack surface — one that threat actors are actively exploiting today. Understanding social-engineering methods is essential for resisting such threats.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
