Post by CISO Whisperer

What happened: Threat actors are abusing Apple's account change notification system to deliver callback phishing scams through legitimate emails sent directly from Apple's servers, by inserting phishing text into user-supplied name fields that Apple then embeds in genuine security alert emails, allowing the messages to pass SPF, DKIM, and DMARC checks and bypass standard spam filters. Who it affects: Any Apple account holder can be targeted, as the attack requires no access to the victim's account, with organizations whose employees use Apple IDs for personal or work-adjacent purposes facing particular exposure where callback phishing is used to harvest credentials or initiate fraudulent support interactions. What CISOs should do: 1. Brief staff on the fact that emails passing authentication checks and originating from known sender domains can still carry phishing lures, particularly those involving unexpected purchases or urgent support numbers. 2. Ensure employees know to verify any unsolicited Apple account change notification referencing a purchase or prompting a call directly through appleid.apple.com or the Apple Support app, rather than by engaging with the email content. 3. Assess whether current filtering and detection rules account for phishing content delivered inside otherwise legitimate transactional emails from major platforms, and consider user-level training that specifically addresses this pattern. Apple #CyberSecurity #CISO #Phishing #EmailSecurity #SocialEngineering #IncidentResponse #SecurityAwareness Read the article: https://lnkd.in/gtbxTyJc