Cybercriminals are exploiting Apple’s account notification system to send phishing emails that appear completely legitimate, making it harder for users to spot the scam.
These messages are being delivered through Apple’s official email servers, which helps them pass common security checks and avoid spam filters.
The attack starts with what appears to be a normal Apple security alert, notifying users that changes have been made to their account. But hidden inside the message is a fake warning about an $899 iPhone purchase made through PayPal, along with a phone number that urges the recipient to call and cancel the transaction.
The goal is to create panic and push people into contacting the number, where scammers pretend to be support agents. Once on the call, they may claim the account has been compromised and try to convince victims to install remote access software or share sensitive financial details. In past cases, this approach has been used to steal money, deploy malware, and access personal data.
What makes this campaign more convincing is that the emails are actually sent from Apple’s infrastructure. They come from official Apple email addresses and pass authentication checks like SPF, DKIM, and DMARC, confirming they are not spoofed. Technical analysis shows the messages originate directly from Apple’s mail servers.
The trick lies in how attackers use Apple’s own features. They create an Apple ID and insert the phishing message into the account’s personal information fields, splitting the text across the first and last name sections. Then they update the account’s shipping details, which triggers Apple to send a genuine account change notification.
Since Apple includes the user’s name in these alerts, the phishing message gets embedded directly into the email content, making it look like part of the official notification. This allows the scam to reach inboxes as a trusted message rather than a suspicious one.
In the reported case, the original email was tied to an iCloud address controlled by the attacker, but it was distributed more widely, likely using mailing lists. This makes the alert seem even more alarming, as it suggests possible unauthorized activity involving unfamiliar account details.
This method is part of a growing trend where attackers misuse legitimate platform features instead of relying on fake emails alone. A similar tactic was previously used with iCloud calendar invites to send fraudulent purchase alerts through Apple’s systems.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Users are advised to be cautious when receiving unexpected account notifications, especially those mentioning purchases or urging them to call a support number. If something looks suspicious or unexpected, it is safer to verify directly through official channels rather than responding to the message.
