Phishers exploit Apple's servers to deliver fake iPhone purchase scams

According to BleepingComputer, threat actors are abusing Apple's account change notification system to embed phishing messages inside legitimate emails sent directly from Apple's infrastructure, bypassing spam filters and appearing credible to recipients.

What happened

Attackers create Apple IDs and insert phishing text into the account's personal information. When the attacker updates the account's shipping information, Apple automatically sends a security alert that includes those user-supplied name fields, effectively delivering the phishing message inside a legitimate Apple email.

The emails originate from appleid@id.apple.com, pass SPF, DKIM, and DMARC authentication checks, and route through Apple-owned mail infrastructure. The phishing lure embedded in the notification claims an $899 iPhone purchase was made via PayPal and urges recipients to call a phone number to cancel it. Header analysis indicates the attacker uses a mailing list to distribute the emails to multiple targets, with the original recipient differing from the final delivery address.

BleepingComputer confirmed the technique is replicable and contacted Apple, which had not responded at time of publication.

The backstory

This campaign follows a similar tactic used in a prior phishing campaign that abused iCloud Calendar invites to send fake purchase notifications through Apple's servers. Both campaigns show a consistent pattern that rather than spoofing Apple, attackers exploit legitimate Apple features to make malicious emails appear authentic.

What was said

BleepingComputer shared the specific phishing text embedded in the Apple notification, "Dear User 899 USD iPhone Purchase Via Pay-Pal To Cancel 18023530761."

The notification itself read, "The following changes to your Apple Account, hxfedna24005@icloud.com, were made on April 14, 2026 at 7:01:40 PM GMT."

Why it matters

This campaign undermines one of the most widely trusted signals users and IT teams rely on to identify phishing, which is, email authentication. When an email passes SPF, DKIM, and DMARC and originates from a domain like apple.com, most users treat it as safe.

For healthcare organizations and other HIPAA covered entities that rely on email, this is a meaningful threat. If a spoofed-looking email can pass as legitimate Apple infrastructure mail, it raises real questions about the effectiveness of authentication-based filtering alone. Employees who use Apple accounts for work or personal devices are vulnerable, since the notification format closely mirrors routine security alerts they may already expect to receive.

The attack also shows a trend of abusing platform features rather than exploiting technical vulnerabilities, an approach that is harder to patch because it uses systems functioning exactly as designed.

The bottom line

Apple's notification system is working as intended. Until Apple introduces controls that sanitize or restrict what content can appear in account change alerts, this attack vector remains open. Users should treat any unsolicited account alert referencing a purchase or directing them to call a support number with skepticism, regardless of how legitimate the sender address appears.

FAQs

Can I stop these emails from reaching my inbox?

The emails pass all standard authentication checks and come from Apple's own servers, traditional spam filters are unlikely to block them.

How do I tell the difference between a real Apple security alert and one of these?

Check whether the email references a purchase or asks you to call a number, genuine Apple security alerts do not ask you to call support or confirm transactions.