What happened
Threat actors are abusing Apple’s account change notification system to deliver callback phishing scams through legitimate emails sent directly from Apple’s servers. The technique exploits the way Apple includes user-supplied name fields in its security alert emails: attackers create an Apple ID and insert phishing text across the first and last name fields, then trigger a legitimate account change notification by modifying the account’s shipping information. Because Apple embeds the account holder’s name in the resulting security alert, the phishing message is delivered as part of a genuine Apple email, passing standard email authentication checks and increasing the likelihood of bypassing spam filters. One example observed in the campaign presented recipients with a fake $899 iPhone purchase notification via PayPal and a phone number to call to cancel the transaction. The abuse has been confirmed as replicable and remains possible, as Apple had not responded to inquiries or addressed the issue at time of publication. The campaign follows a similar technique reported in 2025 in which iCloud Calendar invites were used to deliver phishing lures through Apple’s mail servers.
Who is affected
Any Apple account holder can be targeted, as the attack requires no access to the victim’s account and exploits a design characteristic in Apple’s own notification system. Organizations whose employees use Apple IDs for personal or work-adjacent purposes face exposure, particularly where callback phishing is used to harvest credentials or initiate fraudulent support interactions.
Why CISOs should care
This campaign is notable because the phishing email originates from Apple’s own infrastructure, passes SPF, DKIM, and DMARC checks, and arrives in a format that looks indistinguishable from a legitimate Apple security alert. Standard email filtering controls offer limited protection here. The attack relies entirely on social engineering rather than a technical vulnerability in the recipient’s environment, making user awareness the primary line of defense. The pattern of abusing trusted platform notification systems — first iCloud Calendar, now account change alerts — suggests this approach is being refined and broadened.
3 practical actions
- Brief staff on callback phishing delivered via legitimate platforms: Ensure employees understand that emails passing authentication checks and originating from known sender domains can still carry phishing lures, particularly those involving unexpected purchases or urgent support numbers.
- Treat unsolicited Apple account change notifications with caution: Any alert referencing a purchase or prompting a call to a support number should be verified directly through appleid.apple.com or the Apple Support app rather than by engaging with the email content.
- Review email security controls for trusted-sender abuse: Assess whether current filtering and detection rules account for phishing content delivered inside otherwise legitimate transactional emails from major platforms, and consider user-level training that specifically addresses this pattern.
For more news about credential-stealing malware and malicious campaigns, click Malware to read more.