{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/callback-phishing/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["apple","phishing","callback phishing","email"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA phishing campaign is underway that abuses Apple\u0026rsquo;s account change notification system. Threat actors are inserting phishing messages into the first and last name fields of Apple ID accounts. By modifying the account\u0026rsquo;s shipping information, they trigger legitimate Apple security alerts, which then embed the malicious message within the email body. The emails appear to originate from \u003ca href=\"mailto:appleid@id.apple.com\"\u003eappleid@id.apple.com\u003c/a\u003e and pass SPF, DKIM, and DMARC checks, making them more likely to bypass spam filters. This campaign is designed to trick recipients into believing their accounts have been used for fraudulent purchases, scaring them into calling a scammer\u0026rsquo;s \u0026ldquo;support\u0026rdquo; number.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker creates an Apple ID using a burner email address.\u003c/li\u003e\n\u003cli\u003eThe attacker enters a phishing lure (e.g., \u0026ldquo;Dear User 899 USD iPhone Purchase Via Pay-Pal To Cancel\u0026rdquo;) split across the first and last name fields in the Apple ID profile, as these fields have character limits.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the account\u0026rsquo;s shipping information.\u003c/li\u003e\n\u003cli\u003eThis triggers an Apple account profile change notification email.\u003c/li\u003e\n\u003cli\u003eApple sends a legitimate security alert notifying the user of the change, embedding the attacker-controlled first and last name fields within the email body. The email originates from \u003ca href=\"mailto:appleid@id.apple.com\"\u003eappleid@id.apple.com\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eThe recipient receives the email, which appears legitimate and contains a phishing message and a callback number (e.g., 18023530761).\u003c/li\u003e\n\u003cli\u003eThe recipient, believing their account has been compromised, calls the provided number.\u003c/li\u003e\n\u003cli\u003eThe scammers attempt to convince the victim that their account has been compromised and may instruct them to install remote access software or provide financial information to \u0026ldquo;resolve\u0026rdquo; the issue, leading to financial theft.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful attacks can lead to financial theft, malware deployment, or data theft. Victims who call the provided number are at risk of being coerced into providing sensitive information or installing remote access software, giving the attackers full control over their devices and accounts. The specific number of victims is currently unknown, but the campaign\u0026rsquo;s use of legitimate Apple infrastructure increases its potential reach and impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule detecting emails originating from Apple infrastructure (\u003ca href=\"mailto:appleid@id.apple.com\"\u003eappleid@id.apple.com\u003c/a\u003e) containing suspicious phone numbers to your SIEM.\u003c/li\u003e\n\u003cli\u003eMonitor for emails originating from \u003ccode\u003eappleid@id.apple.com\u003c/code\u003e that contain phone numbers in the email body and consider blocking the identified number \u003ccode\u003e18023530761\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEducate users to treat unexpected account alerts claiming purchases or urging them to call support numbers with extreme caution, especially if they did not initiate any recent changes.\u003c/li\u003e\n\u003cli\u003eReview email gateway logs for emails originating from \u003ccode\u003eappleid@id.apple.com\u003c/code\u003e and \u003ccode\u003euatdsasadmin@email.apple.com\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-19T16:03:01Z","date_published":"2026-04-19T16:03:01Z","id":"/briefs/2026-04-apple-phishing/","summary":"A phishing campaign is abusing legitimate Apple account change notifications to deliver fake iPhone purchase scams, tricking users into calling malicious support numbers.","title":"Apple Account Notification Phishing Campaign","url":"https://feed.craftedsignal.io/briefs/2026-04-apple-phishing/"}],"language":"en","title":"CraftedSignal Threat Feed — Callback Phishing","version":"https://jsonfeed.org/version/1.1"}