Apple account change alerts abused to send phishing emails

Summary

Threat actors are exploiting Apple's account change notification system to deliver phishing scams impersonating iPhone purchase alerts. Attackers create fake Apple IDs, embed phishing messages in name fields, trigger account change notifications, and abuse Apple's email infrastructure (which passes SPF/DKIM/DMARC) to deliver messages that appear legitimate and bypass spam filters. The campaign directs victims to call scammer-controlled numbers where they're tricked into installing remote access software or disclosing financial information.

Full text

Apple account change alerts abused to send phishing emails By Lawrence Abrams April 19, 2026 12:03 PM 0 Apple account change notifications are being abused to send fake iPhone purchase phishing scams within legitimate emails sent from Apple's servers, increasing legitimacy and potentially allowing them to bypass spam filters. A reader shared an email with BleepingComputer that appeared to be a standard Apple security notification that stated their account information had been updated. However, embedded within the message was a phishing lure claiming that an $899 iPhone purchase had been made via PayPal, along with a phone number to call to cancel the transaction. "Dear User 899 USD iPhone Purchase Via Pay-Pal To Cancel 18023530761," reads the Apple account phishing email. "The following changes to your Apple Account, hxfedna24005@icloud.com, were made on April 14, 2026 at 7:01:40 PM GMT:" "Shipping Information" Callback phishing email abusing Apple Account change notificationsSource: BleepingComputer These emails are designed to trick recipients into thinking their accounts were used for fraudulent purchases and scare them into calling the scammer's "support" number. When calling the number, scammers typically try to convince victims that their accounts have been compromised and may instruct them to install remote access software or provide financial information. In previous callback phishing campaigns, this remote access has been used to steal funds from bank accounts, deploy malware, or steal data. Abusing Apple account notifications While the phishing lure is not new, the campaign illustrates how threat actors continue to evolve their tactics by exploiting legitimate website features to conduct attacks. The phishing email was sent from Apple's infrastructure using the address appleid@id.apple.com and passed SPF, DKIM, and DMARC authentication checks, indicating it was a legitimate email from Apple. dkim=pass header.d=id.apple.com header.i=@id.apple.com header.b=o3ICBLWN spf=pass (spf.icloud.com: domain of uatdsasadmin@email.apple.com designates 17.111.110.47 as permitted sender) smtp.mailfrom=uatdsasadmin@email.apple.com Further analysis of the email headers shows that the message originated from Apple mail infrastructure and was not spoofed. Initial server: rn2-txn-msbadger01107.apple.com Outbound relay: outbound.mr.icloud.com IP address: 17.111.110.47 (Apple-owned) To conduct the attack, the threat actor creates an Apple ID and inserts the phishing message into the account's personal information fields, splitting the text across the first and last name fields. BleepingComputer was able to replicate this behavior by creating a test Apple account and adding similar callback phishing language to the first and last name fields. This is because each field cannot contain the entire scam message. Replication attack by changing Apple account name fieldsSource: BleepingComputer To trigger the Apple account profile change notification, the attacker modifies the account's shipping information, which causes Apple to send a security alert notifying the user of the change. Because Apple includes the user-supplied first and last name fields within these notifications, the phishing message is embedded directly into the email and delivered as part of a legitimate alert. While the target of the attacks received the message, the email was initially sent to an iCloud email address associated with the attacker's account. This email address is also included in the notification email, making the email look more concerning and potentially leading someone to believe the account was hacked. Header analysis shows that the original recipient differs from the final delivery address, indicating that the attacker is likely using a mailing list to distribute the emails to multiple targets. This campaign is similar to a previous phishing campaign that abused iCloud Calendar invites to send fake purchase notifications through Apple's servers. As a general rule, users should treat unexpected account alerts claiming purchases or urging them to call support numbers with caution, especially if they did not initiate any recent changes or if they contain unusual email addresses. BleepingComputer contacted Apple on Friday about this campaign, but did not receive a response, and the abuse is still possible. 99% of What Mythos Found Is Still Unpatched. AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop. Claim Your Spot Related Articles: New ATHR vishing platform uses AI voice agents for automated attacksMicrosoft Azure Monitor alerts abused for callback phishing attacksPhishing campaign targets freight and logistics orgs in the US, EuropeWebinar: From phishing to fallout — Why MSPs must rethink both security and recoveryMicrosoft adds Windows protections for malicious Remote Desktop files

Indicators of Compromise

• ip — 17.111.110.47
• email — appleid@id.apple.com
• email — hxfedna24005@icloud.com
• email — uatdsasadmin@email.apple.com

Entities