The Webinar Invite That Came With an Apple Wallet Pass and a Three-Hop Redirect Chain

A high-risk phishing campaign spoofed a Google Calendar webinar invitation and used a structurally clean .ics file and a .pkpass Apple Wallet attachment to deliver redirecting short links and a webServiceURL with tracking tokens; the message passed SPF/DKIM/DMARC via Google infrastructure, triggered behavioral detections, quarantined multiple mailboxes, and provides several IoCs and MITRE mappings for detection and response.