{"id":3679,"date":"2025-11-28T15:29:29","date_gmt":"2025-11-28T15:29:29","guid":{"rendered":"https:\/\/ft365.org\/index.php\/2025\/11\/28\/threat-actors-exploit-calendar-subscriptions-for-phishing-and-malware-delivery\/"},"modified":"2025-11-28T15:29:29","modified_gmt":"2025-11-28T15:29:29","slug":"threat-actors-exploit-calendar-subscriptions-for-phishing-and-malware-delivery","status":"publish","type":"post","link":"https:\/\/ft365.org\/index.php\/2025\/11\/28\/threat-actors-exploit-calendar-subscriptions-for-phishing-and-malware-delivery\/","title":{"rendered":"Threat Actors Exploit Calendar Subscriptions for Phishing and Malware Delivery"},"content":{"rendered":"<div id=\"cphContent_pnlArticleBody\" data-layout-id=\"2\" data-edit-folder-name=\"text\" data-index=\"0\">\n<p>Threat actors have been found manipulating digital calendar subscription infrastructure to deliver harmful content.<\/p>\n<p>Calendar series subscriptions allow third parties\u00a0to add events and share notifications directly to devices. For instance, retailers sharing sale dates or sports associations updating calendar of sports matches. \u00a0<\/p>\n<p>However, because these subscriptions allow a third-party server to add events directly, threat actors have been found setting up deceptive infrastructures to trick users into subscribing to notifications, according to new research by BitSight.<\/p>\n<p>The malicious calendar subscriptions are often hosted on expired or hijacked domains, which can be exploited for large-scale social engineering.<\/p>\n<p>Once a subscription is established, they can deliver calendar files that may contain harmful content, such as URLs or attachments.<\/p>\n<p>The risks range from phishing and malware distribution to JavaScript execution and innovative attacks that exploit emerging technologies such as AI assistants.<\/p>\n<h2><strong>Sinkhole Research Uncovers 347 Suspicious Calendar Domains<\/strong><\/h2>\n<p>BitSight began its research with a single domain that was sinkholed, which recorded 11,000 unique IP addresses per day.<\/p>\n<p>Sinkholing is a technique used in cybersecurity research to redirect malicious traffic away from its intended target to a controlled environment, the sinkhole.<\/p>\n<p>This initial sinkhole related to a domain that functioned as a server a server for a subscribed calendar that distributed German public and school holiday events.<\/p>\n<p>\u201cThat got our attention. Why would a domain for German holidays, with\u00a0.ics\u00a0files, be available?\u201d the BitSight researchers wrote.<\/p>\n<p>The investigation then expanded and uncovered an additional 347 domains\u00a0(relating to FIFA 2018\u00a0events,\u00a0Islamic Hijri\u00a0calendar, etc.).<\/p>\n<p>In total, these 347 domains were contacted by approximately\u00a0four million unique IP addresses per day, with the highest geographic concentration in the\u00a0US.<\/p>\n<p>The BitSight team identified\u00a0two types\u00a0of sync requests in the sinkhole, strongly suggesting that these were\u00a0not new subscriptions, but\u00a0background sync requests\u00a0from previously\u00a0subscribed calendars.<\/p>\n<p>\u201cThis means that anyone who took over or registered an expired domain would be able to respond with customized calendar\u00a0.ics\u00a0files and create additional events in these devices,\u201d they wrote.<\/p>\n<h2><strong>Calendar Subscriptions are an Overlooked Security Blind Spot<\/strong><\/h2>\n<p>The cybersecurity firm noted that the research does not disclose a vulnerability in Google Calendar or iCalendar, the security risks arise from third-party calendar subscriptions.<\/p>\n<p>While it noted that providers like Apple and Google have made significant strides in securing their ecosystems. However, BitSight said its findings highlight areas where emerging risks, like calendar-based abuse, may not yet be fully addressed, despite strong security postures elsewhere.<\/p>\n<p>\u201cAwareness and defenses of calendar subscriptions should be more robust, especially when compared to well-monitored and protected email solutions. The current imbalance creates a dangerous blind spot in both personal and corporate security postures,\u201d the report concluded.<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Threat actors have been found manipulating digital calendar subscription infrastructure to deliver harmful content. Calendar series subscriptions allow third parties\u00a0to add events and share notifications directly to devices. For instance, retailers sharing sale dates or sports associations updating calendar of sports matches. \u00a0 However, because these subscriptions allow a third-party server to add events directly<\/p>\n","protected":false},"author":2,"featured_media":3680,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-3679","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3679-5b3e88d3-4b5d-457b-bbbf-2c7b1b7823ae.jpg",300,300,false],"thumbnail":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3679-5b3e88d3-4b5d-457b-bbbf-2c7b1b7823ae-150x150.jpg",150,150,true],"medium":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3679-5b3e88d3-4b5d-457b-bbbf-2c7b1b7823ae.jpg",300,300,false],"medium_large":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3679-5b3e88d3-4b5d-457b-bbbf-2c7b1b7823ae.jpg",300,300,false],"large":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3679-5b3e88d3-4b5d-457b-bbbf-2c7b1b7823ae.jpg",300,300,false],"1536x1536":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3679-5b3e88d3-4b5d-457b-bbbf-2c7b1b7823ae.jpg",300,300,false],"2048x2048":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3679-5b3e88d3-4b5d-457b-bbbf-2c7b1b7823ae.jpg",300,300,false],"morenews-featured":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3679-5b3e88d3-4b5d-457b-bbbf-2c7b1b7823ae.jpg",300,300,false],"morenews-large":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3679-5b3e88d3-4b5d-457b-bbbf-2c7b1b7823ae.jpg",300,300,false],"morenews-medium":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3679-5b3e88d3-4b5d-457b-bbbf-2c7b1b7823ae.jpg",300,300,false],"crawlomatic_preview_image":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/11\/3679-5b3e88d3-4b5d-457b-bbbf-2c7b1b7823ae-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"https:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"<a href=\"https:\/\/ft365.org\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/3679","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=3679"}],"version-history":[{"count":0,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/3679\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/3680"}],"wp:attachment":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=3679"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=3679"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=3679"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}