Application security, Phishing, Threat Intelligence, Third-party code, Exposure management

Synced calendars a potential threat vector for millions of devices

Synced web calendars can pose an overlooked security risk as attackers use event notifications to spread malicious links, Bitsight reported Tuesday.

Bitsight TRACE revealed insights from its investigation into 390 sinkholed domains that were receiving calendar sync requests from 4 million iOS and macOS daily, finding that an abandoned or compromised site could easily be used to push malicious calendar files to subscribed devices.

Some of these abandoned domains originally provided synced calendar subscriptions for legitimate purposes such as tracking German holidays, FIFA sporting events or important religious dates in Islam.

Devices subscribed to these calendars send regular sync requests to the calendar-hosting domains, which would respond with .ics calendar files to be added to the user’s digital calendar application, such as Google Calendar or iCalendar.

Bitsight noted that Google Calendar sends these requests through a proxy, while iCalendar sends them directly from each individual device, which is why Bitsight’s sinkhole only counted the number of iOS and Mac devices making the requests.

If an attacker gained control of one of these expired domains, they could respond to these ongoing sync requests with their own .ics files containing malicious content, such as fake security warnings or reward offers that would appear as events on the victim’s calendar and possibly as push notifications.

Links attached to these calendar events could lead to phishing or malware pages. Further investigation into specific requests being received by the sinkholed domains revealed networks of malicious activity related to calendar syncing subscriptions.


Bitsight discovered webcal query requests pointing to domains that appeared to trick users into subscribing to calendar or push notifications under the guise of a CAPTCHA prompt. The researchers found these pages to be part of malicious redirection chains originating from legitimate compromised WordPress sites.

Tracing these domains through indicators of compromise (IoCs) such as SSL certificates with overlapping subjects uncovered more than 1,300 domains and 50 IP addresses tied to the push notification/synced calendar fraud campaign. The pattern of WordPress site injection and redirection to notification scam sites was noted to match the IoCs and tactics, techniques and procedures (TTPs) of Balada injector campaigns.   

Traffic to the malicious sites was also found to come from links in PDF files and Android Package Kits (APKs) disguised as popular games, revealing multiple avenues for directing victims to the notification/calendar spam sites.

Calendar events often unnoticed by security tools

Calendar events are less likely to be regarded as a potential phishing vector by security tools and training programs that are mainly designed for traditional phishing targets like email and messaging. Therefore, phishing and malware links delivered through notifications from users’ calendars may be less likely to be blocked or recognized as malicious by users, Bitsight noted.

Malicious calendar content could also potentially be used to inject harmful prompts to AI tools used to summarize and manage calendar events. The risk of prompt injections contained in calendar events has previously been demonstrated by researchers at SafeBreach and EdisonWatch.

Bitsight recommended users treat links in calendar events similar to email links and review their synced calendar events for suspicious or unfamiliar content. Companies may want to establish policies for adding third-party calendars to company devices and include information about this additional threat vector in their phishing training.

Requests to sync .ics files can also be blocked by firewalls by using a whitelist to only allow such requests to go out to trusted sites, such as company calendars.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds