• Blog
  • The Webinar Invite That Came With an Apple Wallet Pass and a Three-Hop Redirect Chain

The Webinar Invite That Came With an Apple Wallet Pass and a Three-Hop Redirect Chain

Table of Contents

    TL;DR A phishing email disguised as a Google Calendar webinar invitation passed SPF, DKIM, and DMARC via legitimate Google infrastructure. The message included an .ics calendar file and a .pkpass Apple Wallet attachment, both structurally clean but functioning as delivery vehicles for external links. The DESCRIPTION and LOCATION fields in the .ics contained a short link that redirected through a custom domain to a landing page, while repeated Google URL wrappers pointed to an unusual domain with suspicious reputation. The sender was flagged as high risk and first-time. Multiple mailboxes were quarantined. Themis flagged the message on behavioral signals including the redirect chains, unusual unsubscribe target, and formatting corruption.
    Severity: High Credential Harvesting Social Engineering MITRE: {'id': 'T1566.001', 'name': 'Phishing: Spearphishing Attachment'} MITRE: {'id': 'T1204.001', 'name': 'User Execution: Malicious Link'} MITRE: {'id': 'T1036.005', 'name': 'Masquerading: Match Legitimate Name or Location'}

    The invitation looked like any other webinar signup: "Double Your Appointments" with a date, time, and RSVP buttons. It arrived through Google Calendar infrastructure. SPF passed. DKIM passed (both google.com and the sender's custom domain). DMARC passed. Composite authentication confirmed.

    The invite carried two attachments and half a dozen links. None of them went where they appeared to.

    The Calendar File as a Link Delivery Vehicle

    The .ics attachment was structurally clean. No embedded executables, no base64 blobs, no encoded payloads. It was a valid iCalendar file produced by Google Calendar, 9,422 bytes, containing a webinar event for an "AI-Driven System" presentation.

    The risk lived in the metadata fields. The DESCRIPTION field contained a short link (ryps[.]us/automate) that redirected through a 301 hop to peakconnector[.]com/webinar-3-ai-secrets. The LOCATION field contained the same redirect. Multiple "Remove Me" links used Google URL wrappers (google[.]com/url?q=...) that resolved to removeme-please[.]com, a domain with suspicious reputation in automated checks. The .ics file was not a payload. It was a container for links that scanners would evaluate only at the first hop.

    The Apple Wallet Pass

    The message also included a .pkpass file, a standard Apple Wallet pass containing images, a pass definition, and a webServiceURL endpoint pointing to api.lu[.]ma with an embedded authentication token. Adding this pass to a Wallet app would trigger HTTP requests to the specified endpoint, enabling server-side tracking and potentially session-based redirection.

    The .pkpass format is rarely inspected by email security tools. It is not an executable. It is not a macro-enabled document. It is a ZIP archive containing JSON and images that interacts with device APIs after installation, placing its risk surface outside the email scanning boundary.

    The Formatting That Gave It Away

    The HTML body contained character-level bold wrapping and corrupted formatting artifacts consistent with automated mass-mail conversion. The organizer address (alyssa@reachyourpeakresources[.]com) did not match the recipient context, and the short-link domain (ryps[.]us) had no DMARC enforcement and no DNSSEC. These were not definitive signals individually, but Themis, the IRONSCALES Adaptive AI engine, combined them with the redirect chains, suspicious unsubscribe target, and first-time sender behavior to flag the message. Multiple mailboxes were quarantined.

    See Your Risk: Calculate how many threats your SEG is missing

    Indicators of Compromise

    TypeIndicatorContext
    Organizeralyssa@reachyourpeakresources[.]comCalendar invite organizer, first-time sender
    Short Link Domainryps[.]usNo DMARC enforcement, owned by Reach Your Peak LLC
    Redirect Landingpeakconnector[.]com/webinar-3-ai-secretsFinal destination after 301 redirect from short link
    Suspicious Domainremoveme-please[.]comRepeated unsubscribe target via Google URL wrappers
    Wallet Endpointapi.lu[.]ma (with auth token)webServiceURL in .pkpass, enables tracking
    ICS Fileinvite.ics (9,422 bytes)Structurally clean, contains redirect links in metadata
    Attachment.pkpass (Apple Wallet)Contains embedded webServiceURL and tracking tokens

    MITRE ATT&CK Mapping

    TechniqueIDRelevance
    Phishing: Spearphishing AttachmentT1566.001.ics and .pkpass as link delivery vehicles
    User Execution: Malicious LinkT1204.001Redirect chains obscuring landing page destination
    Masquerading: Match Legitimate Name or LocationT1036.005Google Calendar branding and legitimate RSVP interface
    Email Attack of the Day is a daily series from IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 35,000+ security professionals. Each post breaks down a real attack. What it looked like, why it worked, and what to do about it.

    Related attacks

    Attack What happened
    The Bank Statement You Had to Unlock With Your Birthday: PII-Gated PDF Evasion From Authenticated InfrastructureA fully authenticated email from banking infrastructure delivered a password-protected PDF that required the recipient's mobile number and date of birth...
    136 Bytes Was All It Took: The SVG That Redirected to a Credential HarvestA 136-byte SVG attachment used a JavaScript onload event to redirect the browser to a credential-harvesting page.
    An Employment Verification Request That Passed DMARC REJECT, Then Sent Replies to Someone ElseA credential harvesting email impersonated InformData, a real background check company, passing SPF, DKIM, and DMARC at REJECT enforcement via SendGrid.
    The Fax Notification That Was Just a Pregnancy Test for Your CuriosityA Gmail account sent a fax notification with a 24KB HTML attachment.
    The Tooltip Said Coupa. The Link Said Genesis Cleaning. Only One of Them Was Real.A phishing email passed SPF, DKIM, and DMARC for a UAE law firm domain while its CTA button displayed a Coupa procurement portal tooltip but linked to an...

    Explore More Articles

    Say goodbye to Phishing, BEC, and QR code attacks. Our Adaptive AI automatically learns and evolves to keep your employees safe from email attacks.

    The FedEx Freight Invoice That Came From Inside the CRM Phishing

    The FedEx Freight Invoice That Came From Inside...

    TL;DR An attacker used FedEx Freight's Salesforce CRM to send an invoice rebill request to a...

    Audian Paxson
    The Geek Squad Invoice That Forgot Which Brand It Was Pretending to Be Phishing

    The Geek Squad Invoice That Forgot Which Brand It...

    TL;DR An attacker sent a callback phishing email with an empty subject line and no body text. The...

    Audian Paxson
    The Invoice Email With No Text to Scan: Image-Only Payload From a Compromised Account With a Broken ARC Chain Phishing

    The Invoice Email With No Text to Scan:...

    TL;DR An email with subject 'ACH payment [Company]' arrived at the accounts receivable team of a...

    Audian Paxson
    The FedEx Freight Invoice That Came From Inside the CRM Phishing

    The FedEx Freight Invoice That Came From Inside...

    TL;DR An attacker used FedEx Freight's Salesforce CRM to send an invoice rebill request to a...

    Audian Paxson
    The Geek Squad Invoice That Forgot Which Brand It Was Pretending to Be Phishing

    The Geek Squad Invoice That Forgot Which Brand It...

    TL;DR An attacker sent a callback phishing email with an empty subject line and no body text. The...

    Audian Paxson
    The Invoice Email With No Text to Scan: Image-Only Payload From a Compromised Account With a Broken ARC Chain Phishing

    The Invoice Email With No Text to Scan:...

    TL;DR An email with subject 'ACH payment [Company]' arrived at the accounts receivable team of a...

    Audian Paxson
    The FedEx Freight Invoice That Came From Inside the CRM Phishing

    The FedEx Freight Invoice That Came From Inside...

    TL;DR An attacker used FedEx Freight's Salesforce CRM to send an invoice rebill request to a...

    Audian Paxson
    The Geek Squad Invoice That Forgot Which Brand It Was Pretending to Be Phishing

    The Geek Squad Invoice That Forgot Which Brand It...

    TL;DR An attacker sent a callback phishing email with an empty subject line and no body text. The...

    Audian Paxson
    The Invoice Email With No Text to Scan: Image-Only Payload From a Compromised Account With a Broken ARC Chain Phishing

    The Invoice Email With No Text to Scan:...

    TL;DR An email with subject 'ACH payment [Company]' arrived at the accounts receivable team of a...

    Audian Paxson
    The FedEx Freight Invoice That Came From Inside the CRM Phishing

    The FedEx Freight Invoice That Came From Inside...

    TL;DR An attacker used FedEx Freight's Salesforce CRM to send an invoice rebill request to a...

    Audian Paxson
    The Geek Squad Invoice That Forgot Which Brand It Was Pretending to Be Phishing

    The Geek Squad Invoice That Forgot Which Brand It...

    TL;DR An attacker sent a callback phishing email with an empty subject line and no body text. The...

    Audian Paxson
    The Invoice Email With No Text to Scan: Image-Only Payload From a Compromised Account With a Broken ARC Chain Phishing

    The Invoice Email With No Text to Scan:...

    TL;DR An email with subject 'ACH payment [Company]' arrived at the accounts receivable team of a...

    Audian Paxson