Threat actors have been found manipulating digital calendar subscription infrastructure to deliver harmful content.
Calendar series subscriptions allow third parties to add events and share notifications directly to devices. For instance, retailers sharing sale dates or sports associations updating calendar of sports matches.
However, because these subscriptions allow a third-party server to add events directly, threat actors have been found setting up deceptive infrastructures to trick users into subscribing to notifications, according to new research by BitSight.
The malicious calendar subscriptions are often hosted on expired or hijacked domains, which can be exploited for large-scale social engineering.
Once a subscription is established, they can deliver calendar files that may contain harmful content, such as URLs or attachments.
The risks range from phishing and malware distribution to JavaScript execution and innovative attacks that exploit emerging technologies such as AI assistants.
Sinkhole Research Uncovers 347 Suspicious Calendar Domains
BitSight began its research with a single domain that was sinkholed, which recorded 11,000 unique IP addresses per day.
Sinkholing is a technique used in cybersecurity research to redirect malicious traffic away from its intended target to a controlled environment, the sinkhole.
This initial sinkhole related to a domain that functioned as a server a server for a subscribed calendar that distributed German public and school holiday events.
“That got our attention. Why would a domain for German holidays, with .ics files, be available?” the BitSight researchers wrote.
The investigation then expanded and uncovered an additional 347 domains (relating to FIFA 2018 events, Islamic Hijri calendar, etc.).
In total, these 347 domains were contacted by approximately four million unique IP addresses per day, with the highest geographic concentration in the US.
The BitSight team identified two types of sync requests in the sinkhole, strongly suggesting that these were not new subscriptions, but background sync requests from previously subscribed calendars.
“This means that anyone who took over or registered an expired domain would be able to respond with customized calendar .ics files and create additional events in these devices,” they wrote.
Calendar Subscriptions are an Overlooked Security Blind Spot
The cybersecurity firm noted that the research does not disclose a vulnerability in Google Calendar or iCalendar, the security risks arise from third-party calendar subscriptions.
While it noted that providers like Apple and Google have made significant strides in securing their ecosystems. However, BitSight said its findings highlight areas where emerging risks, like calendar-based abuse, may not yet be fully addressed, despite strong security postures elsewhere.
“Awareness and defenses of calendar subscriptions should be more robust, especially when compared to well-monitored and protected email solutions. The current imbalance creates a dangerous blind spot in both personal and corporate security postures,” the report concluded.
