Phishers abuse Apple account-change alerts to smuggle scams past spam filters

Attackers are weaponizing Apple’s own account notification system to deliver callback phishing lures from legitimate Apple infrastructure. By creating an Apple ID and stuffing a fake $899 iPhone purchase message across the first and last name fields, then triggering a shipping address change, the scammer causes Apple to send a security alert that renders the injected text as part of the email body. The resulting message originates from appleid@id.apple.com, passes SPF, DKIM, and DMARC, and arrives with the full weight of Apple’s sending reputation.

Recipients are nudged to call an attacker-controlled number to dispute the bogus charge. Standard callback-scam playbooks follow: operators push victims to install remote access tools, hand over banking details, or accept malware. The notification also lists the attacker’s own iCloud address as the account holder, which adds a plausible veneer of account compromise and drives urgency. Distribution appears to run through a mailing list, with header analysis showing the original recipient differs from the final delivery address.

The underlying flaw is trusting user-supplied profile fields as safe content inside transactional notifications. It mirrors an earlier abuse pattern using iCloud Calendar invites. BleepingComputer reported the technique to Apple and got no response; the injection still works.