Hundreds of Abandoned iCalendar Sync Domains Put Nearly 4 Million Devices at Risk

Researchers at Bitsight TRACE have discovered a massive network of abandoned calendar domains still receiving synchronization requests from millions of Apple devices.

The study found over 390 inactive or hijacked domains related to iCalendar sync requests, posing security risks to nearly 4 million iOS and macOS devices that continue to reach out to them daily.

Hidden Risks in Digital Calendar Subscriptions

Digital calendars have become essential tools for work and personal life, but their subscription feature can silently expose users to malicious activity.

When a person subscribes to an external calendar, such as one offering public holidays, sports schedules, or promotional events, the device automatically connects to that server to fetch updates through .ics files.

Bitsight’s sinkhole analysis revealed that many of these calendar servers remain active long after the domains have expired or been abandoned.

Attackers who register these expired domains can serve customized .ics files containing malicious event links, phishing URLs, or prompts to install unwanted apps. Unlike emails, these events land directly in users’ calendars, making them appear legitimate and trustworthy.

The researchers traced the issue back to calendar sync daemons on Apple devices that automatically request updates from subscribed calendars.

Observed requests included identifiable headers such as Accept: text/calendar and user-agent strings of dataaccessd/1.0, confirming Apple Calendar’s background synchronization.

From Push Notifications to Phishing and Scam Networks

Further investigation revealed two significant communication patterns: Base64-encoded URIs and webcal queries, both of which request calendar data.

Many hijacked calendar servers delivered JavaScript payloads that attempted to trick users into granting push notification permissions or subscribing to additional spam calendars.

Bitsight linked these operations to large-scale notification scam campaigns that often masquerade as CAPTCHA checks requiring users to click “Allow.”

The infrastructure overlapped with previously compromised WordPress sites infected by the Balada Injector malware, which injected obfuscated JavaScript into legitimate websites.

Victims visiting such sites were silently redirected to malicious endpoints pushing fake offers, VPN promotions, or malicious APK downloads.

While most attacks focused on social engineering, some campaigns also distributed weaponized .ics files that exploited unpatched vulnerabilities, such as CVE-2025-27915 in Zimbra, allowing JavaScript execution without user interaction.

Bitsight warns that calendar-based threats represent an overlooked attack vector compared to email phishing. Organizations rarely monitor or restrict calendar subscriptions, creating blind spots that can be exploited at scale.

The company recommends reviewing active calendar subscriptions, implementing whitelist-based firewall rules, and including calendar security in employee awareness training.

Calendar events long considered harmless reminders now demonstrate how trust in familiar tools can be exploited for large-scale phishing, malware delivery, and data harvesting.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post Hundreds of Abandoned iCalendar Sync Domains Put Nearly 4 Million Devices at Risk appeared first on Cyber Security News.