Apple account change notifications are abused to send fake iPhone purchase scams inside legitimate emails sent from Apple servers, increasing their legitimacy and potentially allowing them to bypass spam filters.
A student shared an email with BleepingComputer that appeared to be a standard Apple security notification stating that their account information had been updated.
However, embedded within the message is a phishing scam claiming to purchase an $899 iPhone through PayPal, along with a phone number to call to cancel the transaction.
“Dear User 899 USD Buy iPhone Via Pay-Pal To Cancel 18023530761,” reads the hacked Apple account email.
“The following changes to your Apple Account, hxfedna24005@icloud.com, were made on April 14, 2026 at 7:01:40 PM GMT:”
“Shipping Information”
Source: BleepingComputer
These emails are designed to trick recipients into thinking their accounts have been used for fraudulent purchases and threaten to call the scammer’s “support” number.
When calling the number, scammers often try to convince victims that their accounts have been compromised and may instruct them to install remote access software or provide financial information.
In previous phishing campaigns, this remote access has been used to steal funds from bank accounts, release malware, or steal data.
Abusing Apple account notifications
While the lure of phishing isn’t new, the campaign shows how threat actors continue to evolve their tactics by exploiting legitimate website features to launch attacks.
The phishing email was sent from Apple’s infrastructure using the address appleid@id.apple.com and passed SPF, DKIM, and DMARC authentication checks, indicating that it’s a legitimate email from Apple.
dkim=pass header.d=id.apple.com header.i=@id.apple.com header.b=o3ICBLWN
spf=pass (spf.icloud.com: domain of uatdsasadmin@email.apple.com designates 17.111.110.47 as permitted sender) smtp.mailfrom=uatdsasadmin@email.apple.com
Further analysis of the email headers indicates that the message originated from Apple’s mail infrastructure and was not mishandled.
Initial server: rn2-txn-msbadger01107.apple.com
Outbound relay: outbound.mr.icloud.com
IP address: 17.111.110.47 (Apple-owned)
To carry out this attack, a threat actor creates an Apple ID and inserts a phishing message into the account’s personal information fields, separating the text from the first and last name fields.
BleepingComputer was able to replicate this behavior by creating an Apple test account and adding similar phishing language to the first and last name fields. This is because each field cannot contain the entire scam message.
Source: BleepingComputer
To trigger an Apple account profile change notification, an attacker modifies the account’s shipping information, causing Apple to send a security alert informing the user of the change.
Because Apple includes the user-supplied first and last name fields within these notifications, the phishing message is embedded directly into the email and delivered as part of a formal warning.
When the target of the attack received the message, the email was first sent to the iCloud email address associated with the attacker’s account. This email address is also included in the notification email, which makes the email look very personal and may lead someone to believe that the account has been hacked.
Header analysis shows that the original recipient differs from the final delivery address, indicating that the attacker is likely using a mailing list to distribute emails to multiple targets.
This campaign is similar to a previous phishing campaign that misused iCloud Calendar invitations to send fake purchase notifications through Apple’s servers.
As a general rule, users should treat unexpected account alerts that want to make purchases or urge them to call support numbers with caution, especially if they have not initiated recent changes or if they contain unusual email addresses.
BleepingComputer contacted Apple on Friday about the campaign, but did not receive a response, and abuse is still possible.
AI has tied four zero days to a single exploit that bypasses both renderer and OS sandboxes. A wave of new exploits is coming.
At the Automated Validation Conference (May 12 & 14), see how autonomous, context-rich validation finds usability, validates controls, and closes the correction loop.
