# Apple account change alerts exploited to send phishing emails from legitimate servers _Sunday, April 19, 2026 at 2:08 PM EDT · Cybersecurity, Tech & Business · Latest · Tier 2 — Notable_ ![Apple account change alerts exploited to send phishing emails from legitimate servers — Primary](https://www.bleepstatic.com/content/hl-images/2023/09/11/apple_triangle.jpg) Apple account change notifications are being abused to send fake iPhone purchase phishing scams from Apple's own servers, increasing their legitimacy and potentially allowing them to bypass spam filters. The campaign embeds phishing messages within legitimate security alerts sent by Apple when users modify their account information. Attackers create Apple IDs and insert callback phishing text into the first and last name fields, then trigger a shipping information change that generates an automated notification from Apple's infrastructure. The phishing emails appear to come from appleid@id.apple.com and pass SPF, DKIM, and DMARC authentication checks, indicating they are legitimate emails from Apple's servers. Analysis of email headers shows the messages originate from Apple mail infrastructure at rn2-txn-msbadger01107.apple.com and are relayed through outbound.mr.icloud.com from Apple-owned IP addresses. A sample phishing email shared with BleepingComputer reads: "Dear User 899 USD iPhone Purchase Via Pay-Pal To Cancel 18023530761," followed by notification that account changes were made. The emails are designed to trick recipients into thinking their accounts were used for fraudulent purchases, scaring them into calling the scammer's "support" number. When victims call these numbers, scammers typically try to convince them their accounts have been compromised and may instruct them to install remote access software or provide financial information. In previous callback phishing campaigns, this remote access has been used to steal funds from bank accounts, deploy malware, or steal data. This campaign is similar to previous phishing operations that abused iCloud Calendar invites to send fake purchase notifications through Apple's servers. While Apple has been contacted about the abuse, it remains possible to exploit this notification feature. Security researchers advise users to treat unexpected account alerts claiming purchases or urging them to call support numbers with caution, especially if they did not initiate any recent changes or if the emails contain unusual addresses. ## Sources - [BleepingComputer](https://www.bleepingcomputer.com/news/security/apple-account-change-alerts-abused-to-send-phishing-emails/) --- Canonical: https://techandbusiness.org/newswire/08EUFJXk3wQgRnqiFNjOxS Retrieved: 2026-04-19T21:53:32.090Z Publisher: Tech & Business (techandbusiness.org)