A Google Calendar invite appeared in the recipient's inbox. The DESCRIPTION stated: "A payment of $316.66 USD will be processed within 24 hours." It claimed to be from the Bitdefender LLC Support Team, referenced a product called SecureCore Ultimate, and provided two phone numbers to call with questions. There were no malicious links anywhere in the message. Every URL pointed to calendar.google.com. The attack was pure callback phishing: the phone number was the weapon.
The organizer email was aenazeuli@hktaiwan[.]com. WHOIS records showed the domain was registered the same day the invite was sent, with privacy-protected registrant details and a one-year expiration. The domain had no public A records, no MX records, no published SPF, and no DMARC. It was created for one purpose: to serve as the identity behind a single campaign.
Despite the organizer domain's complete lack of email infrastructure, the invite was delivered through Google Calendar's own mail servers at mail-sor-f69.google.com (IP 209[.]85[.]220[.]69). DKIM signatures for google.com passed. ARC seals were valid. The transport was authenticated because Google Calendar infrastructure, not the organizer domain, handled delivery. SPF for the organizer showed "none" because hktaiwan[.]com had never designated permitted senders.
The DESCRIPTION text claimed the sender was the "Bitdefender LLC Support Team" and referenced a fabricated product. None of these details matched anything on Bitdefender's official site. The text quality was poor: duplicated blocks, template artifacts ("Renewal verified welcome again."), and formatting inconsistencies.
Two US phone numbers were provided: (843) 367-8410 and (828) 620-5541. These are the payload. If the recipient calls, they reach an attacker posing as support, who guides them through canceling the fake charge, often by installing remote access software or providing payment card details. This is vishing initiated through a calendar channel.
All interactive elements in the invite (RSVP, View, Settings) resolved to legitimate calendar.google.com URLs. Link scanners found nothing to block because there was nothing malicious to scan. The entire attack existed in the text of the DESCRIPTION field and the phone numbers embedded within it.
Calendar invites bypass traditional email inspection in two ways. First, the message inherits Google's authentication and reputation, not the organizer's. Second, many calendar clients auto-add events from external senders, placing the attacker's billing claim directly on the recipient's calendar without any interaction.
IRONSCALES flagged the invite based on first-time organizer, same-day domain registration, billing language in the DESCRIPTION, and the absence of any established sender relationship.
See Your Risk: Calculate how many threats your SEG is missing
| Type | Indicator | Context |
|---|---|---|
| Organizer Domain | hktaiwan[.]com | Registered same day as the attack, no MX/SPF/DMARC |
| Organizer Email | aenazeuli@hktaiwan[.]com | Fabricated identity |
| Phone Number | (843) 367-8410 | TOAD callback vector |
| Phone Number | (828) 620-5541 | TOAD callback vector |
| Impersonated Brand | Bitdefender LLC | Fabricated product "SecureCore Ultimate" |
| Delivery IP | 209[.]85[.]220[.]69 | Google Calendar mail server |
| Payment Claim | $316.66 USD | Urgency lure |
| Technique | ID | Relevance |
|---|---|---|
| Phishing: Spearphishing via Service | T1566.003 | Google Calendar used as delivery platform |
| Masquerading: Match Legitimate Name or Location | T1036.005 | Bitdefender brand impersonation in calendar DESCRIPTION |
| User Execution: Malicious Link | T1204.001 | Recipient must call the phone number to advance the attack |
| Attack | What happened |
|---|---|
| McAfee Invoice Scam Weaponized a Google Calendar Invite 71 Minutes After Domain Registration | A same-day registered domain abused Google Calendar invites to deliver a McAfee/Webroot invoice scam with a callback phone number. |
| The Geek Squad Invoice With a Hidden Executable in the Image | A callback phishing attack delivered a fake Geek Squad invoice as an image with MZ/PE executable bytes embedded in the JPEG. |
| The Fake Invoice That Wasn't Even the Right File Type | A callback phishing attack used a PNG image disguised as a JPEG to deliver a fake Geek Squad invoice. |
| The Geek Squad Invoice That Forgot Which Brand It Was Pretending to Be | A callback phishing attack delivered entirely as an image attachment, with no subject line, no links, and no scannable text. |
| The Law Firm Document That Linked to a Cleaning Company | A fully authenticated email from a UAE law firm domain delivered a document-signing lure where the CTA button linked to a US cleaning company's subdomain. |