TL;DR A municipal government employee received a Google Calendar invite from infodeliv[.]com (registered the same day) claiming an imminent $479.33 'Authorization Passkey' charge for a fabricated Malwarebytes product. No malicious links, no malware: the entire payload was two attacker-controlled phone numbers embedded in the .ics DESCRIPTION field. Google Calendar infrastructure delivered the invite with a DKIM pass and compauth=pass, giving it the clean-delivery reputation of a legitimate calendar notification. The attack is a textbook callback phishing variant adapted for the calendar delivery channel.
Severity: High Callback-Phishing Impersonation Invoice-Fraud Social-Engineering MITRE: T1566.001 MITRE: T1656 MITRE: T1598
A Google Calendar invite landed in a municipal government employee's inbox. The organizer was "Andressa Wojtek" at infodeliv[.]com. The subject referenced a membership confirmation. The DESCRIPTION inside the .ics demanded $479.33 within 24 hours for a product called "SecureWave Pro" under the "Malwarebytes Antivirus" umbrella, and provided two phone numbers to call if the charge needed to be cancelled.
There were no malicious links. No exploits. No credential page. The entire weapon was the phone number.
Why Google Calendar Makes a Reliable Delivery Rail for Billing Fraud
Calendar invites sent through Google's infrastructure arrive with authentication that many gateways treat favorably. In this case, the message carried DKIM signatures from both google.com and infodeliv-com.20251104.gappssmtp.com, and the compauth result was pass. The sending IP resolved to mail-oo1-xc47.google.com, a legitimate Google mail server.
SPF had no record for infodeliv[.]com. The domain had no A records, no MX records, and DNSSEC was unsigned. WHOIS showed it was registered the same day the invite was sent, through Hosting Concepts B.V. with registrant privacy enabled. None of that was visible to a gateway examining the DKIM result and the Google relay path.
The .ics file itself was 2,499 bytes. Static analysis returned a clean verdict: no embedded executables, no JavaScript, no external HTTP links, no form fields. The only content outside the DESCRIPTION was standard calendar fields: ATTENDEE, ORGANIZER, DTSTART, DTEND. By every automated measure available at the email layer, this was a routine calendar notification from Google infrastructure.
MITRE ATT&CK T1566.001 covers spearphishing with attachments. The .ics file functions exactly as a weaponized attachment here: it is the delivery vehicle for the fraudulent billing content. T1656 (impersonation) applies to the Malwarebytes brand claim. The fabricated product name ("SecureWave Pro"), fake account lead ("Jessica Rolan"), and physical address embedded in the invite are identity construction elements typical of social engineering operations designed to create enough institutional texture to survive a quick visual check.
The Authorization Passkey as a Pressure Mechanism
The DESCRIPTION field included what the invite called an "Authorization Passkey," a UUID-style value presented as a required input when calling to cancel the charge. This is a standard pressure mechanic in callback phishing operations: the passkey creates the illusion of an already-processed transaction that needs active reversal, raising the psychological stakes for the victim.
The $479.33 figure sits in the range most commonly used in Geek Squad and antivirus renewal scams, high enough to prompt urgency but below the threshold where many recipients would escalate to a manager before calling. The 24-hour window reinforces that urgency.
See Your Risk: Calculate how many threats your SEG is missing
Once a victim calls either of the embedded numbers (843-367-8410 or 856-493-2375) a live operator takes over. From that point, the attack relies entirely on verbal social engineering: confirming the charge is a mistake, requesting remote access to "process the refund," or directing the victim to a payment portal. There is no technical payload to detonate. The email's only job is to generate the call.
What Zero Infrastructure Tells You About the Threat Model
The absence of DNS infrastructure for infodeliv[.]com is not a gap in the attacker's setup. It is deliberate. A callback phishing campaign built around a phone number does not need a web server, a credential page, or even an MX record. The domain exists solely to create a sender address that passes the basic appearance check. Once the invite is delivered, the domain has served its purpose.
This is why domain-age and infrastructure-completeness signals matter as much as link-reputation checks. A domain registered the same day as a billing communication with no A/MX/SPF records is not a misconfigured legitimate sender. It is a disposable asset.
Invoice fraud delivered through calendar channels is an evolution of a well-documented playbook. Traditional invoice phishing required a convincing PDF or a link to a fake payment portal. Calendar-based variants replace both with a DESCRIPTION field that Gmail, Outlook, and mobile calendar apps render natively, with no attachment warning banner and no link-hover URL inspection. The visual context (a calendar event, a meeting time, an organizer name) primes recipients to engage rather than scrutinize.
IRONSCALES flagged the combination of a same-day-registered organizer domain with no infrastructure, urgent billing language in the DESCRIPTION, Malwarebytes brand impersonation inconsistent with the sender domain, and two phone numbers as the sole call-to-action. The .ics content is the payload. Parsing calendar DESCRIPTION fields for social engineering signals (financial demands, brand impersonation, urgency language, embedded phone numbers) is required to catch this category of attack before it generates a callback.
Indicators of Compromise
| Type | Indicator | Context |
|---|
| Sender domain | infodeliv[.]com | Registered same day as invite; no A/MX/SPF/DNSSEC records; registrant privacy via Hosting Concepts B.V. |
| Sender address | andressawojtek[@]infodeliv[.]com | Organizer of fraudulent Google Calendar event; DKIM signed via gappssmtp |
| Phone number | 843-367-8410 | Attacker callback number embedded in .ics DESCRIPTION |
| Phone number | 856-493-2375 | Attacker callback number embedded in .ics DESCRIPTION |
| Physical address | 655 Marie Antoinette St Apt 466, Monroe LA 71202 US | Fabricated address in invite DESCRIPTION for false legitimacy |
| Attachment | invite.ics (2499 bytes) | Google Calendar invite; DESCRIPTION contains billing fraud content; no embedded malware |
| Brand impersonated | Malwarebytes | "Malwarebytes Antivirus" / "MalwareBytes Standard DATABASE INDEX" referenced in DESCRIPTION |
| Fabricated product | SecureWave Pro | Fake product name used to anchor the $479.33 charge |
Email Attack of the Day is a daily series from
IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 35,000+ security professionals. Each post breaks down a real attack. What it looked like, why it worked, and what to do about it.
/case_study_thumb_telit.webp?width=1136&height=639&name=case_study_thumb_telit.webp)
/Leadership%20Headshots/Audian%20Paxson%20Headshot%201000x1000%20032026.webp?width=100&height=100&name=Audian%20Paxson%20Headshot%201000x1000%20032026.webp)
/Misc%20Icons/icon-red-teaming-agent-gradient-simple.svg)
/Misc%20Icons/icon-phishing-soc-agent-gradient-simple.webp?width=158&height=167&name=icon-phishing-soc-agent-gradient-simple.webp)
/Misc%20Icons/icon-phishing-simulation-agent-gradient-simple.svg)
/Misc%20Icons/icon-nav-encryption.svg)
