The Hidden Calendar Threat Putting 4 Million Apple Devices at Risk

Digital calendars may seem like one of the safest apps on your device — but new research shows they’re becoming a powerful, overlooked attack vector. 

Millions of users who subscribe to external calendars for holidays, promotions, or event reminders may be unknowingly connecting to abandoned domains now ripe for takeover. 

Attackers “… can deliver calendar files that may contain harmful content, such as URLs or attachments, turning a helpful tool into an unexpected attack vector,” said Bitsight researchers.

The Hidden Danger of Abandoned Calendar Feeds

Bitsight researchers sinkholed more than 390 such calendar-related domains and observed daily sync traffic from roughly 4 million iOS and macOS devices. 

Because these domains once hosted legitimate calendars — from sporting events to public holidays — users rarely question the source. 

Once an attacker controls the domain, they can silently push .ics files containing URLs, attachments, or social-engineering lures straight into calendar apps.

Why Calendar Phishing Is Harder to Detect

Unlike traditional email phishing — which users are often trained to spot — calendar-based attacks exploit trust and automation. 

A subscribed calendar causes the device to routinely request updates via Accept: text/calendar headers. 

If the domain is now in malicious hands, the attacker simply sends back crafted events. These can include malicious links, files, or misleading titles like “Security Alert,” “Amazon Notice,” or even blank whitespace to obscure details.

Bitsight researchers identified two dominant infrastructures behind these attacks:

• Legacy base64-like URI patterns paired with reused fingerprinting scripts across hundreds of domains.
• Newer “webcal” infrastructure, where deceptive JavaScript overlays — such as fake CAPTCHA prompts — trick users into clicking Allow, which grants permission for push notifications or additional calendar subscriptions.

Many users arrived at these malicious domains through compromised legitimate websites, infected with heavily obfuscated JavaScript consistent with the Balada injector campaign. 

To the victim, it looks like a routine browser check before loading a familiar page — until malicious events start appearing in their calendar.

How Attackers Monetize Calendar Access

Once an attacker controls the subscription, they control what appears on the device. Bitsight observed campaigns that weaponize calendar events to:

• Drive users to phishing pages.
• Promote malicious VPNs that may function as residential proxies.
• Push APK downloads posing as games or tools.
• Deliver PDFs that redirect users into deeper scam or malware networks.

Some ad networks now openly sell iOS Push or calendar-based promotions, turning this attack vector into a commercial ecosystem where threat actors can rent access to users’ devices.

Calendar Attacks Go Beyond Phishing

The calendar threat extends beyond just phishing attacks. 

A Zimbra vulnerability (CVE-2025-27915) demonstrated how poorly sanitized .ics files in certain open-source suites can enable stored XSS, leading to arbitrary JavaScript execution without user interaction.

Separately, researchers have shown that calendar events can be used for LLM prompt-injection attacks.

If a malicious event contains a jailbreak prompt and a user asks their AI assistant to summarize upcoming events, the LLM may execute harmful actions. 

At scale, this could reach millions of devices instantly through hijacked subscriptions.

Protecting Your Organization From Calendar Exploits

Digital calendars have quietly become a high-risk attack surface, offering threat actors a direct line to user devices through expired or hijacked subscriptions. 

With malicious .ics files, fake browser checks, and poisoned redirects on the rise, traditional email-focused defenses simply can’t keep pace. Organizations should adopt a layered approach including:

• Audit and remove unfamiliar or unnecessary calendar subscriptions on corporate and personal devices.
• Treat calendar events like email — avoid clicking unknown links, attachments, or urgent prompts.
• Establish clear policies governing third-party calendar subscriptions, especially for high-privilege or high-risk roles.
• Expand security awareness training to include calendar-based phishing, fake browser checks, and social-engineering tactics.
• Use DNS, SWG, or network-level filtering to block malicious or expired subscription domains and suspicious .ics sync requests.
• Harden mobile and endpoint devices by restricting unknown configuration profiles, disabling auto-subscription prompts where possible, and enforcing MTD/MDM protections.
• Monitor for abnormal calendar-sync behavior, malicious redirects, or patterns consistent with injected JavaScript or compromised websites.

Securing calendars is no longer a niche concern — it’s a necessary part of modern cyber defense. 

As attackers continue to exploit overlooked channels like .ics subscriptions and malicious redirects, organizations must expand their protections beyond traditional email-focused security.

The Rise of Calendar-Based Cyberattacks

Calendar subscriptions — once a minor convenience feature — have evolved into a scalable, low-friction attack channel that bypasses email defenses entirely. 

As threat actors increasingly exploit trust-based systems and automation, organizations must rethink where their true attack surfaces lie. 

Modern security strategies must treat calendars not as harmless utilities, but as potential delivery paths for phishing, malware, and even AI-driven exploitation.

It’s a reminder that even seemingly innocent features can be exploited by attackers, underscoring the value of zero-trust principles.