Scammers Are Sending Phishing From Apple's Own Email Servers—And Every Spam Filter Waves Them Through

Every anti phishing guide you have ever read told you the same thing: check the sender address. If the email says it is from Apple, look at the domain. If it does not say @apple.com, it is fake.

A new scam campaign just broke that rule. The phishing email arrives from appleid@id.apple.com. It originates from Apple's own mail servers. It passes every authentication check your inbox runs. And the message inside tells you that someone just used your Apple ID to buy an $899 iPhone through PayPal, and you need to call a phone number to stop it.

How the Scam Actually Works

BleepingComputer's Lawrence Abrams documented the campaign on April 19, 2026, after one of the emails landed in his own iCloud inbox. The mechanism is elegant and requires no technical exploit whatsoever. The scammers are not hacking Apple. They are using Apple the way Apple was designed to be used.

The recipe has three ingredients:

• Create a throwaway Apple ID. Anyone can sign up for a free Apple account in under two minutes.
• Stuff the phishing message into the name fields. When Apple asks for a first and last name during signup, the attacker writes their phishing copy instead: "Dear User 899 USD iPhone Purchase Via Pay-Pal To Cancel 18023530761."
• Trigger an account change notification. Apple automatically emails a security alert every time an Apple ID's shipping address, payment method, or personal details change. The attacker adds the victim's address as a shipping address on the newly created account. Apple's servers dutifully send a notification to that address confirming the change—and the notification embeds the attacker's phishing copy directly into the subject line and body.

The resulting email is, from every technical angle, genuine. The headers include dkim=pass header.d=id.apple.com. The sending IP traces back to 17.111.110.47, which is an Apple owned block. The transport servers are real Apple infrastructure: rn2-txn-msbadger01107.apple.com and outbound.mr.icloud.com. A spam filter that cares about authentication, reputation, and TLS handshakes will see a clean bill of health.

Why It Lands in the Priority Inbox

Modern email providers lean hard on sender reputation. Gmail, iCloud, Outlook, and most corporate gateways rank incoming mail by a trust score that blends SPF, DKIM, DMARC, sender history, domain age, and user engagement signals. An Apple security notification hits the top of that chart. People read Apple alerts. They reply to them. They do not mark them as spam. Every one of those behaviors has, over years, taught the filter to route anything from appleid@id.apple.com directly to the main inbox.

The scam email inherits all of that reputation. It slides into the primary folder, often with a push notification, next to the real Apple alerts the victim has been receiving for years.

This is the same loophole that has powered a string of recent phishing campaigns that ride on legitimate infrastructure: PayPal invoice abuse, DocuSign envelope abuse, Microsoft 365 shared document abuse, Google Calendar invite abuse. The attacker does not need to spoof a domain or register a look alike. They convince a trusted sender to deliver the message for them.

The Callback Phishing Payoff

The email does not contain a link. That is deliberate. Links are what spam filters, URL rewriters, and browser safe browsing lists are built to catch. Instead the message carries a phone number—1-802-353-0761 in the documented sample—and a dollar amount scary enough to make the recipient pick up the phone.

This is callback phishing, sometimes called TOAD (Telephone Oriented Attack Delivery). The FBI's Internet Crime Complaint Center logged callback phishing as one of the top growing attack categories in its 2025 report, and the mechanics are always the same:

• The victim calls the number, worried about an unauthorized charge.
• A call center agent answers in character as Apple, PayPal, or the victim's bank.
• The agent walks the victim through installing remote access software—AnyDesk, TeamViewer, or a custom app—"to refund the charge."
• With remote control established, the agent empties bank accounts, initiates wire transfers, or harvests credentials stored in the browser.

The elderly are disproportionately targeted. The FBI reported that Americans over 60 lost $4.9 billion to cyber fraud in 2024, with callback scams ranking among the fastest growing sub categories.

Why Apple Has Not Shut This Down

The attack abuses a feature, not a bug. Apple's account notification system is supposed to email users whenever their account details change—that is a core security guarantee. If the notification system refused to include user-supplied names in the message body, its utility would collapse. An alert that said "someone changed the name on your account" without telling you what the new name is would be worse than useless.

Apple could, and probably will, start sanitizing the name fields used in these templates—stripping URLs, phone numbers, and all caps dollar amounts from notification bodies. PayPal fought the same battle with invoice abuse in 2022 and eventually rolled out an automated phishing-language filter on its outbound invoice stream. BleepingComputer reports they reached out to Apple on Friday, April 17, and received no response by publication.

Until that fix ships, every Apple ID user is a potential recipient, and every spam filter will deliver the message without complaint.

How to Tell the Real Alerts From the Fakes

The easiest tell is grammar. Apple's legitimate notifications are copy edited, consistent, and typographically clean. The scam versions read like they were assembled from spam-word bingo: "Pay-Pal" with a hyphen, mixed capitalization, phone numbers wedged into sentences, and a generic "Dear User" greeting instead of the recipient's real name. A real Apple notification addresses you by the name on your account.

The other tell is the structure. A legitimate Apple purchase receipt includes an itemized order number, a delivery address, and a link that opens your Apple ID account page—not a phone number in the first paragraph. If the email tells you to call to cancel a charge, it is a scam. Apple does not operate that way. Ever.

If you want to verify whether a charge actually hit your account, do it from a fresh browser tab at appleid.apple.com, or from the Settings app on your iPhone. Never from a link, phone number, or QR code inside the suspicious email.

The Broader Pattern: Trusted Infrastructure Is the New Attack Surface

For most of the 2010s, phishing detection focused on the sender. If the envelope looked legitimate, the message was treated as legitimate. That assumption has collapsed. The modern phishing ecosystem increasingly delivers malicious content through senders that are—by every technical definition—real.

Recent examples from the last 90 days alone include a phishing service that hijacks legitimate Microsoft 365 device code authentication, a credential-harvesting campaign that abused poisoned 'Office 365' search results to steal paychecks, and the ATHR AI vishing platform that blends email with automated voice calls. In each case the attacker is not breaking into trusted infrastructure. They are using trusted infrastructure as a delivery channel.

This pattern has an implication for how you think about your inbox. You can no longer rely on the "from" field, the green padlock, or the fact that an email passed DMARC. You have to read the message itself and ask: does the action this email is asking me to take make sense? If it is asking you to call a number, install a tool, or open a link under pressure, the envelope does not matter.

What to Actually Do

If an Apple notification like this lands in your inbox:

• Do not call the number. Legitimate Apple emails never include a support phone number embedded in the body text. Apple's actual support line is reachable from support.apple.com after logging in to your account.
• Forward the email to Apple. Send it as an attachment, not as a copy paste, to reportphishing@apple.com. This preserves the headers that let Apple trace the malicious account.
• Check your actual purchase history. Open the Settings app on your iPhone, tap your name, then "Media & Purchases." Any real charge appears there.
• Turn on purchase confirmations. In the same menu, enable Face ID or Touch ID for every purchase. If someone really has your Apple ID password, they still cannot spend money.
• Enable two factor authentication. This is already the default for new Apple IDs, but older accounts may not have it on. Verify at appleid.apple.com.

If you already called the number and installed remote access software, treat it as a compromise: disconnect the device, change your Apple ID password from a different machine, change your bank passwords, and call your bank from the number on the back of your card (not from whatever number the scammer gave you).

Your Inbox Is the Perimeter

The Apple campaign is one snapshot of a larger shift. Email is the control plane for nearly every account you own—your bank, your cloud storage, your password resets, your crypto wallets. A phishing message that convinces you to act does not need to be clever about malware or exploits. It needs to arrive in the right inbox, at the right moment, carrying the right brand.

That is why the tools that reduce noise and surveillance in your inbox are worth the attention. Marketing emails ride on tracking pixels that report every open, every device, every location to the sender—data that is eventually sold, leaked, or used to time the next social engineering attempt. Gblock is a free Chrome extension that blocks those tracking pixels in Gmail without breaking the rest of the inbox. Less data leaking out means a smaller profile for phishing campaigns to target.

Email security in 2026 is not about trusting the sender. It is about verifying the action. When in doubt, close the email and go to the source directly. A real Apple charge will still be there five minutes from now. A scam depends on you not taking those five minutes.