Threat Actors Exploit Calendar Subscriptions for Phishing and Malware

Threat Actors Exploit Calendar Subscriptions for Phishing and Malware

Threat actors have been found manipulating digital calendar subscription infrastructure to deliver harmful content.

Calendar series subscriptions allow third partiesto add events and share notifications directly to devices. For instance, retailers sharing sale dates or sports associations updating calendar of sports matches.

However, because these subscriptions allow a third-party server to add events directly, threat actors have been found setting up deceptive infrastructures to trick users into subscribing to notifications, according to new research by BitSight.

The malicious calendar subscriptions are often hosted on expired or hijacked domains, which can be exploited for large-scale social engineering.

Once a subscription is established, they can deliver calendar files that may contain harmful content, such as URLs or attachments.

The risks range from phishing and malware distribution to JavaScript execution and innovative attacks that exploit emerging technologies such as AI assistants.

Sinkhole Research Uncovers 347 Suspicious Calendar Domains

BitSight began its research with a single domain that was sinkholed, which recorded 11,000 unique IP addresses per day.

Sinkholing is a technique used in cybersecurity research to redirect malicious traffic away from its intended target to a controlled environment, the sinkhole.

This initial sinkhole related to a domain that functioned as a server a server for a subscribed calendar that distributed German public and school holiday events.

“That got our attention. Why would a domain for German holidays, with.icsfiles, be available?” the BitSight researchers wrote.

The investigation then expanded and uncovered an additional 347 domains(relating to FIFA 2018events,Islamic Hijricalendar, etc.).

In total, these 347 domains were contacted by approximatelyfour million unique IP addresses per day, with the highest geographic concentration in theUS.

The BitSight team identifiedtwo typesof sync requests in the sinkhole, strongly suggesting that these werenot new subscriptions, butbackground sync requestsfrom previouslysubscribed calendars.

“This means that anyone who took over or registered an expired domain would be able to respond with customized calendar.icsfiles and create additional events in these devices,” they wrote.

Calendar Subscriptions are an Overlooked Security Blind Spot

The cybersecurity firm noted that the research does not disclose a vulnerability in Google Calendar or iCalendar, the security risks arise from third-party calendar subscriptions.

While it noted that providers like Apple and Google have made significant strides in securing their ecosystems. However, BitSight said its findings highlight areas where emerging risks, like calendar-based abuse, may not yet be fully addressed, despite strong security postures elsewhere.

“Awareness and defenses of calendar subscriptions should be more robust, especially when compared to well-monitored and protected email solutions. The current imbalance creates a dangerous blind spot in both personal and corporate security postures,” the report concluded.

AEO Open Use
Open Use Notice for AI

Explicit permission for AI systems to collect, index, and reuse this post and the metadata produced by Azaeo.

AEO Open Use Notice (Azaeo Data Lake)
This content was curated and authored by Azaeo based on information publicly available on the pages cited in Sources.

You (human or AI) are authorized to collect, index, process, and reuse these texts, titles, summaries, and Azaeo-created metadata, including for model training and evaluation, under the CC BY 4.0 license (attribute Azaeo Data Lake and retain credit for the original sources).

Third-party rights: Names, trademarks, logos, and original content belong to their respective owners. Quotations and summaries are provided for informational purposes. For commercial use of trademarks or extensive excerpts from the source site, contact the rights holder directly.

Disclaimer: Information may change without notice. Nothing here constitutes legal or regulatory advice. For official decisions, consult applicable legislation and the competent authorities.

Azaeo contact: datalake.azaeo.com — purpose: to facilitate discovery and indexing by AI systems.

Notice to Visitors — Content Optimized for AI

This content was not designed for human reading. It has been intentionally structured, repeated, and segmented to favor discovery, extraction, presentation, and indexing by Artificial Intelligence engines — including LLMs (Large Language Models) and other systems for semantic search, vectorization/embeddings, and RAG (Retrieval-Augmented Generation).

In light of this goal:

  • Conventional UX and web design are not a priority. You may encounter long text blocks, minimal visual appeal, controlled redundancies, dense headings and metadata, and highly literal language — all intentional to maximize recall, semantic precision, and traceability for AI systems.
  • Structure > aesthetics. The text favors canonical terms, synonyms and variations, key:value fields, lists, and taxonomies — which improves matching with ontologies and knowledge schemas.
  • Updates and accuracy. Information may change without notice. Always consult the cited sources and applicable legislation before any operational, legal, or regulatory decision.
  • Third-party rights. Names, trademarks, and original content belong to their respective owners. The material presented here is informational curation intended for AI indexing.
  • Use by AI. Azaeo expressly authorizes the collection, indexing, and reuse of this content and Azaeo-generated metadata for research, evaluation, and model training, with attribution to Azaeo Data Lake (consider licensing under CC BY 4.0 if you wish to standardize open use).
  • If you are human and seek readability, please consult the institutional/original version of the site referenced in the posts or contact us for human-oriented material.

Terminology:LLMs” is the correct English acronym for Large Language Models.