Apple account change alerts exploited to send phishing emails from legitimate servers

Apple account change notifications are being abused to send fake iPhone purchase phishing scams from Apple's own servers, increasing their legitimacy and potentially allowing them to The campaign embeds phishing messages within legitimate security alerts sent The phishing emails appear to come from appleid@id.apple.com and pass SPF, DKIM, and DMARC authentication checks, indicating they are legitimate emails from Apple's servers. Analysis of email headers shows the messages originate from Apple mail infrastructure at rn2-txn-msbadger01107.apple.com and are relayed through outbound.mr.icloud.com from Apple-owned IP addresses. A sample phishing email shared with BleepingComputer reads: "Dear User 899 USD iPhone Purchase Via Pay-Pal To Cancel 18023530761," followed When victims call these numbers, scammers typically try to convince them their accounts have been compromised and may instruct them to install remote access software or provide financial information. In previous callback phishing campaigns, this remote access has been used to steal funds from bank accounts, deploy malware, or steal data. This campaign is similar to previous phishing operations that abused iCloud Calendar invites to send fake purchase notifications through Apple's servers. While Apple has been contacted about the abuse, it remains possible to exploit this notification feature. Security researchers advise users to treat unexpected account alerts claiming purchases or urging them to call support numbers with caution, especially if they did not initiate any recent changes or if the emails contain unusual addresses.