The Webinar Invite That Came With an Apple Wallet Pass and a Three-Hop Redirect Chain

The invitation looked like any other webinar signup: "Double Your Appointments" with a date, time, and RSVP buttons. It arrived through Google Calendar infrastructure. SPF passed. DKIM passed (both google.com and the sender's custom domain). DMARC passed. Composite authentication confirmed.

The invite carried two attachments and half a dozen links. None of them went where they appeared to.

The Calendar File as a Link Delivery Vehicle

The .ics attachment was structurally clean. No embedded executables, no base64 blobs, no encoded payloads. It was a valid iCalendar file produced by Google Calendar, 9,422 bytes, containing a webinar event for an "AI-Driven System" presentation.

The risk lived in the metadata fields. The DESCRIPTION field contained a short link (ryps[.]us/automate) that redirected through a 301 hop to peakconnector[.]com/webinar-3-ai-secrets. The LOCATION field contained the same redirect. Multiple "Remove Me" links used Google URL wrappers (google[.]com/url?q=...) that resolved to removeme-please[.]com, a domain with suspicious reputation in automated checks. The .ics file was not a payload. It was a container for links that scanners would evaluate only at the first hop.

The Apple Wallet Pass

The message also included a .pkpass file, a standard Apple Wallet pass containing images, a pass definition, and a webServiceURL endpoint pointing to api.lu[.]ma with an embedded authentication token. Adding this pass to a Wallet app would trigger HTTP requests to the specified endpoint, enabling server-side tracking and potentially session-based redirection.

The .pkpass format is rarely inspected by email security tools. It is not an executable. It is not a macro-enabled document. It is a ZIP archive containing JSON and images that interacts with device APIs after installation, placing its risk surface outside the email scanning boundary.

The Formatting That Gave It Away

The HTML body contained character-level bold wrapping and corrupted formatting artifacts consistent with automated mass-mail conversion. The organizer address (alyssa@reachyourpeakresources[.]com) did not match the recipient context, and the short-link domain (ryps[.]us) had no DMARC enforcement and no DNSSEC. These were not definitive signals individually, but Themis, the IRONSCALES Adaptive AI engine, combined them with the redirect chains, suspicious unsubscribe target, and first-time sender behavior to flag the message. Multiple mailboxes were quarantined.

See Your Risk: Calculate how many threats your SEG is missing

Indicators of Compromise

MITRE ATT&CK Mapping