In the modern digital ecosystem, subscribing to a calendar series has become a routine convenience. Whether it is a retailer sharing dates for upcoming sales, a sports association like FIFA publishing match schedules, or a government body listing public holidays, the standard ‘ICS’ web calendar format, also known as iCalendars, allows third parties to integrate events directly into a user’s device. A new report indicates that this functionality is being weaponized by cybercriminals to distribute malicious content.[1] Does it ever end?
According to the latest research from Bitsight, titled The Hidden Dangers of Calendar Subscriptions, threat actors are increasingly exploiting the trust users place in their calendar applications. The report details how criminals use deceptive infrastructure to trick users into subscribing to notifications that subsequently deliver malicious URLs or dangerous attachments directly to the device's home screen.
While the creation of intentionally malicious calendars is a concern, the report highlights a more subtle and insidious threat: the hijacking of legitimate, but abandoned, calendar sources. Many organizations create calendar subscriptions for specific, time-limited events, such as a World Cup tournament or a seasonal retail promotion. Once the event concludes, the organization often ceases to maintain the supporting infrastructure. Eventually, the domain name hosting the calendar file expires.
Bitsight researchers warn that cyber criminals actively hunt for these expired domains. Once purchased and re-registered by an attacker, the domain allows them to take control of the calendar feed. Users who originally subscribed rarely unsubscribe after an event ends. Their devices continue to ping the server for updates automatically. Consequently, a once-innocuous schedule for football matches can suddenly begin pushing spam, phishing links, or malware to the user, bypassing traditional filters that might catch similar attempts via email.
The scale of this vulnerability is significant. The Bitsight research team observed over 390 abandoned domains specifically related to iCalendar services. These domains were being accessed daily by approximately 4 million unique iOS and macOS devices. This figure represents only the Apple ecosystem; when considering the vast number of Android devices that use similar subscription protocols, the potential attack surface is considerably larger.
The omnipresence of these connections means that millions of users maintain a constant, open line of communication with servers that may no longer be owned by the entity they originally trusted.
One of the primary reasons this attack vector is successful is the psychological difference between how users view email versus calendars. Over the last decade, employees and the public have been trained to scrutinize emails for signs of phishing. However, calendar notifications generally bypass this skepticism. A notification appearing in a trusted system application carries an inherent legitimacy that attackers are keen to exploit.
The report notes that this "trust" has been commodified. There is now an active market where companies and criminal entities sell "ad space" within hacked calendar events. This allows bad actors to push notifications to millions of unsuspecting devices, turning a personal organizational tool into a billboard for illicit material or fraud.
As this underdeveloped area of security risk continues to grow, the report suggests that reliance on the source's initial legitimacy is no longer sufficient. Users and organizations must audit their active subscriptions to ensure they are not leaving a digital back door open to opportunistic criminals.
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators-of-compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please contact the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://www.cybersecurityintelligence.com/blog/millions-of-devices-at-risk-from-malicious-calendar-subscriptions-8898.html
Comments