Cybersecurity researchers at Kaspersky have identified an active campaign where threat actors are exploiting calendar subscriptions to deliver phishing links and malware. The attack leverages malicious ICS files, a standard format for calendar events, which are sent to victims via email.

The social engineering tactics employed in these emails often involve fake notifications about package deliveries or unpaid invoices. These messages prompt the recipient to open and accept the attached ICS calendar invitation. Once the user accepts the event, it is automatically added to their calendar application.

Attack Vector and Delivery Mechanism

The core of the attack lies within the description field of the calendar event. Threat actors embed malicious links into this section, which become active notifications on the user’s device once the event is added to their calendar. This technique is designed to bypass standard email security filters by using a trusted application, the calendar, to present the malicious content.

Kaspersky’s analysis revealed two primary attack vectors stemming from this method. The first involves phishing, where the embedded links redirect users to fraudulent websites. These sites are designed to harvest credentials by tricking users into entering their login information. The second vector is direct malware delivery. In these instances, clicking the link in the calendar event initiates the download of malicious software onto the user’s system.

Observed Malware Payloads

The campaign has been observed distributing information-stealing malware. Specifically, researchers have identified the delivery of Lumma and Rhadamanthys stealers. These types of malware are designed to exfiltrate sensitive information from an infected device, such as passwords, financial details, and other personal data. To obscure the final malicious destination, the attackers utilize URL shorteners and a series of redirects, making it more difficult for security tools to detect the threat.