Callback phishing via Apple ID display name abuse

calendar Apr 8, 2026  ·
Share on: linkedin copy

Detects callback phishing that abuses legitimate Apple ID notification emails as a delivery mechanism. The threat actor sets their Apple ID display name to a callback scam lure (e.g., a fake charge with a phone number), which Apple then embeds in the "Dear [name]" greeting of a routine account change notification. This legitimate email is forwarded to multiple targets via a distribution list, bypassing sender reputation checks since it originates from Apple's real infrastructure. The rule extracts the name field from the greeting and applies NLU classification to detect callback scam language within it.

Sublime rule (View on GitHub)

 1name: "Callback phishing via Apple ID display name abuse"
 2description: >-
 3  Detects callback phishing that abuses legitimate Apple ID notification
 4  emails as a delivery mechanism. The threat actor sets their Apple ID
 5  display name to a callback scam lure (e.g., a fake charge with a phone
 6  number), which Apple then embeds in the "Dear [name]" greeting of a
 7  routine account change notification. This legitimate email is forwarded
 8  to multiple targets via a distribution list, bypassing sender reputation
 9  checks since it originates from Apple's real infrastructure. The rule
10  extracts the name field from the greeting and applies NLU classification
11  to detect callback scam language within it.  
12type: "rule"
13severity: "high"
14source: |
15  type.inbound
16  and sender.email.email == "appleid@id.apple.com"
17  and (
18    // the actor controls the name portion of the apple account, so extract that
19    // english starts with Dear, but other language might start with Hello,
20    // the email template and html div class names are the same between languages
21    any(html.xpath(body.html, '//div[@class="email-body"]').nodes,
22        any(regex.iextract(.display_text, '^(?P<first_line>[^\n]+)\n'),
23            // NLU catches the actor controlled values as callback
24            any(ml.nlu_classifier(beta.ml_translate(.named_groups["first_line"]).text
25                ).intents,
26                .name == "callback_scam"
27            )
28            // we have to account for NLU not catching it as callback_scam
29            // this catches more than one digit followed by all capital letters
30            // 599 USD, we use the unicode category Lu for capital letters from a bunch of languges
31            or regex.contains(beta.ml_translate(.named_groups["first_line"]).text,
32                              '\d{2,} \p{Lu}{2,5} '
33            )
34            // commonly observed phrase "if not you call"
35            or strings.icontains(.named_groups["first_line"], "If not you call")
36            // first line ends in a phone number
37            or regex.contains(.named_groups["first_line"], '\d+,$')
38        )
39    )
40    // the email address of the apple account appears in the body of the message
41    or (
42      any(body.current_thread.links,
43          .parser == "plain"
44          and .href_url.scheme == "mailto"
45          // actor observed using `appleservice207@icloud.com`
46          and (
47            (
48              strings.istarts_with(strings.parse_email(.href_url.url).local_part,
49                                   'apple'
50              )
51              and strings.parse_email(.href_url.url).domain.domain not in $org_domains
52            )
53            // newly registered domains like peekaboo.baby
54            or network.whois(.href_url.domain).days_old < 30
55          )
56      )
57    )
58  )
59  and not recipients.to[0].email.domain.domain in $org_domains  
60attack_types:
61  - "Callback Phishing"
62tactics_and_techniques:
63  - "Impersonation: Brand"
64  - "Out of band pivot"
65  - "Social engineering"
66detection_methods:
67  - "Content analysis"
68  - "Natural Language Understanding"
69  - "Sender analysis"
70id: "a8607ce1-8614-505a-99c2-c8c716e80bc6"
to-top