Calendar Subscriptions Expose 4M Devices to Malicious iCal Campaigns

Bitsight research reveals that misused calendar subscriptions are quietly exposing around 4 million iOS and macOS devices to potential malicious events via iCalendar feeds. Attackers can register expired or abandoned domains used by popular subscribed calendars and then push crafted .ics files containing phishing URLs, payload links, or social engineering content directly into users’ calendars, mapped to MITRE ATT&CK T1566 (Phishing) and T1204 (User Execution). Because calendar events are implicitly trusted and bypass email security controls, they provide a powerful and underappreciated social-engineering vector. Bitsight’s TRACE sinkhole telemetry identified over 390 domains related to calendar sync requests, contacted daily by ~4 million devices, many originally associated with benign content like holidays, sports fixtures, or promotions. Once domains lapse and are re-registered by threat actors, the existing subscriptions continue to sync automatically, allowing adversaries to deliver arbitrary calendar entries without further user consent. Attackers can also combine calendar events with browser-based notification scams, push malicious VPN or adware promotions, or route users through multi-stage redirect chains. The problem is exacerbated by the lack of organizational awareness and tooling around calendar security. While email phishing is widely monitored and filtered, calendar events rarely undergo similar scrutiny, yet they can include links, attachments, and urgent reminders that look legitimate. For organizations, this creates a blind spot where users can be lured to credential-harvesting pages, malware downloads, or deceptive subscriptions that later monetize through ad fraud or residential proxy schemes. The research also highlights overlaps with Balada-style website injections that seed malicious scripts leading users into unwanted calendar subscriptions. Mitigation requires inventorying and pruning unnecessary calendar subscriptions, especially those referencing obscure or long-forgotten domains. Security teams should educate users about the risks of subscribing to calendars from untrusted sites, encourage review of existing subscriptions on corporate devices, and consider MDM policies that restrict calendar additions. Vendors and large organizations should also pressure ecosystem providers to add better controls, such as warning prompts for high-risk calendar domains and optional scanning or proxying of .ics content before delivery.