McAfee Invoice Scam Weaponized a Google Calendar Invite 71 Minutes After Domain Registration

71 Minutes From Domain Registration to Inbox

At 12:10 UTC on May 7, 2026, someone registered cytrust[.]org through Cloudflare. At 13:21 UTC, a Google Calendar invitation titled "Your Invoice Is Ready" landed in the mailboxes of staff at a K-12 school district. The total elapsed time from domain creation to live phishing campaign: 71 minutes.

The email claimed a McAfee subscription had been renewed for $423.99. But the listed service was "Webroot deluxe." Two competing antivirus brands in the same invoice. That is not a typo. It is the fingerprint of a templated phishing kit, swapping vendor names at scale without anyone bothering to proofread.

There were no links to click and no attachments to open. The only call to action was a phone number: +1 (810) 353-2770. This is textbook callback phishing, classified by MITRE ATT&CK as Phishing: Spearphishing Voice (T1566.004).

The Google Calendar Delivery Mechanism

The attacker did not send a standard email. They weaponized Google Calendar.

After registering cytrust[.]org, they provisioned a Google Workspace account, which gave them the ability to send calendar invitations through Google's own infrastructure. The email headers confirm this: the Sender field reads calendar-notification@google.com, while the From field shows the attacker's identity, jerry.rogersfdun@cytrust[.]org.

This distinction matters. Because the message originated from Google's mail servers (209[.]85[.]220[.]73, resolving to mail-sor-f73.google.com), it carried a valid DKIM signature from google.com. Many secure email gateways treat DKIM-passing Google traffic as inherently trustworthy. The attacker leveraged that trust to bypass filters that would have flagged a direct send from an unknown domain.

The Verizon 2024 Data Breach Investigations Report found that pretexting and social engineering remain the dominant human-element vectors in breaches. This attack layers both: the Google Calendar wrapper provides the pretext of legitimacy, while the invoice content drives the social engineering.

Infrastructure Built to Burn

The attacker's infrastructure was disposable by design, consistent with MITRE T1583.001 (Acquire Infrastructure: Domains).

WHOIS records for cytrust[.]org show:

• Created: 2026-05-07 at 12:10:04 UTC
• Registrar: Cloudflare, Inc.
• DNSSEC: Unsigned
• Registrant details: Fully redacted

DNS tells the rest of the story. No A record. No MX record. No SPF record. No DMARC record. The only TXT entry was a google-site-verification token, the minimum required to provision Google Workspace. The attacker built exactly enough DNS infrastructure to relay mail through Google and nothing more.

The IRONSCALES platform flagged cytrust[.]org as a newly registered domain on arrival. Combined with the absence of any email authentication records (SPF returned none), the domain-age signal alone placed this message in a high-risk category before content analysis even began.

The Microsoft Digital Defense Report 2024 highlights newly registered domains as a persistent indicator of phishing infrastructure, with attackers routinely burning domains within days of registration.

See Your Risk: Calculate how many threats your SEG is missing

Anatomy of the Callback Lure

The email body was designed to trigger an emotional response: an unexpected $423.99 charge for a service the recipient never ordered.

Key elements of the lure:

• Subject: "Your Invoice Is Ready"
• Claim: "Your McAfee subscription has been processed for renewal"
• Service listed: "Webroot deluxe" (a different vendor entirely)
• Amount: $423.99
• Coverage period: 60 months (an absurdly long subscription term meant to amplify urgency)
• Phone number: +1 (810) 353-2770

The 810 area code maps to Flint, Michigan. Legitimate SaaS vendors route support through toll-free 800-series numbers, not regional lines. That mismatch is a strong tell, but one that most recipients under stress will not pause to evaluate.

The body also contained 40+ lines of period characters (.) padding the message below the invoice content. This is a deliberate formatting trick. It pushes the Google Calendar metadata (organizer name, event details, guest list) far below the fold, separating the phishing lure from the structural elements that might prompt suspicion.

The FBI IC3 2024 Annual Report documents callback phishing as a growing vector in tech support and subscription fraud schemes, with losses accelerating year over year.

Why This Slips Past Traditional Gateways

This attack is engineered for SEG evasion.

There are no malicious URLs to scan. No weaponized attachments to detonate in a sandbox. The payload is a phone number embedded in plain text. URL-based threat detection is completely blind to it.

Authentication checks offer limited help. DKIM passes because Google signed the message. SPF returns none (not fail) because cytrust[.]org simply never published an SPF record. Many gateways treat SPF none as neutral rather than suspicious. DMARC is absent entirely, so there is no policy to enforce.

The IRONSCALES analysis engine evaluated this message across multiple signal layers simultaneously. The newly registered domain triggered an infrastructure-age alert. Content analysis detected the brand inconsistency between McAfee and Webroot. Community intelligence matched the message pattern against similar invoice callback campaigns already reported across the IRONSCALES network. The combined verdict: phishing, 90% confidence, with "Invoice Phishing" classification.

CISA's phishing guidance specifically warns about unsolicited invoices and unexpected renewal notices. This attack checks every box.

Defanged IOC Table

What to Do Right Now

For security teams: Flag emails from domains registered within the past 30 days, especially those missing MX, SPF, and DMARC records. Callback phishing bypasses link and attachment scanning entirely. If your detection stack does not evaluate phone-number-as-payload, you have a blind spot.

For end users: No legitimate vendor will send an invoice for a product you did not purchase through a Google Calendar invite. If you receive an unexpected renewal notice, verify directly through the vendor's official website. Never call a number provided in a suspicious email.

For organizations in education: K-12 institutions remain disproportionately targeted because of large mailbox populations and varied security maturity across staff. Layering community-driven threat intelligence on top of gateway controls closes the detection gap that single-vendor stacks leave open.