The invitation looked like any other webinar signup: "Double Your Appointments" with a date, time, and RSVP buttons. It arrived through Google Calendar infrastructure. SPF passed. DKIM passed (both google.com and the sender's custom domain). DMARC passed. Composite authentication confirmed.
The invite carried two attachments and half a dozen links. None of them went where they appeared to.
The .ics attachment was structurally clean. No embedded executables, no base64 blobs, no encoded payloads. It was a valid iCalendar file produced by Google Calendar, 9,422 bytes, containing a webinar event for an "AI-Driven System" presentation.
The risk lived in the metadata fields. The DESCRIPTION field contained a short link (ryps[.]us/automate) that redirected through a 301 hop to peakconnector[.]com/webinar-3-ai-secrets. The LOCATION field contained the same redirect. Multiple "Remove Me" links used Google URL wrappers (google[.]com/url?q=...) that resolved to removeme-please[.]com, a domain with suspicious reputation in automated checks. The .ics file was not a payload. It was a container for links that scanners would evaluate only at the first hop.
The message also included a .pkpass file, a standard Apple Wallet pass containing images, a pass definition, and a webServiceURL endpoint pointing to api.lu[.]ma with an embedded authentication token. Adding this pass to a Wallet app would trigger HTTP requests to the specified endpoint, enabling server-side tracking and potentially session-based redirection.
The .pkpass format is rarely inspected by email security tools. It is not an executable. It is not a macro-enabled document. It is a ZIP archive containing JSON and images that interacts with device APIs after installation, placing its risk surface outside the email scanning boundary.
The HTML body contained character-level bold wrapping and corrupted formatting artifacts consistent with automated mass-mail conversion. The organizer address (alyssa@reachyourpeakresources[.]com) did not match the recipient context, and the short-link domain (ryps[.]us) had no DMARC enforcement and no DNSSEC. These were not definitive signals individually, but Themis, the IRONSCALES Adaptive AI engine, combined them with the redirect chains, suspicious unsubscribe target, and first-time sender behavior to flag the message. Multiple mailboxes were quarantined.
See Your Risk: Calculate how many threats your SEG is missing
| Type | Indicator | Context |
|---|---|---|
| Organizer | alyssa@reachyourpeakresources[.]com | Calendar invite organizer, first-time sender |
| Short Link Domain | ryps[.]us | No DMARC enforcement, owned by Reach Your Peak LLC |
| Redirect Landing | peakconnector[.]com/webinar-3-ai-secrets | Final destination after 301 redirect from short link |
| Suspicious Domain | removeme-please[.]com | Repeated unsubscribe target via Google URL wrappers |
| Wallet Endpoint | api.lu[.]ma (with auth token) | webServiceURL in .pkpass, enables tracking |
| ICS File | invite.ics (9,422 bytes) | Structurally clean, contains redirect links in metadata |
| Attachment | .pkpass (Apple Wallet) | Contains embedded webServiceURL and tracking tokens |
| Technique | ID | Relevance |
|---|---|---|
| Phishing: Spearphishing Attachment | T1566.001 | .ics and .pkpass as link delivery vehicles |
| User Execution: Malicious Link | T1204.001 | Redirect chains obscuring landing page destination |
| Masquerading: Match Legitimate Name or Location | T1036.005 | Google Calendar branding and legitimate RSVP interface |