Bitsight researchers uncovered a significant security risk associated with calendar subscriptions, potentially affecting 4 million devices. Expired or hijacked domains hosting calendar subscriptions can be exploited for large-scale social engineering attacks. The research revealed two types of sync requests reaching their sinkhole, indicating different networks at play. The infrastructure behind these operations was found to be deliberate and planned, with domains actively registered until 2025. The attack vector leverages users' trust in calendar events, making it more effective than traditional phishing emails. The researchers also discovered links to the Balada injector campaign, involving website compromises and redirection chains. The scale of operations includes over 1,300 domains and various monetization strategies, including selling calendar event ad space.