{"id":21735,"date":"2026-04-20T11:08:17","date_gmt":"2026-04-20T09:08:17","guid":{"rendered":"https:\/\/kordon.app\/?p=21735"},"modified":"2026-04-20T11:08:18","modified_gmt":"2026-04-20T09:08:18","slug":"latest-interesting-cybersecurity-news-2026-20-04","status":"publish","type":"post","link":"https:\/\/kordon.app\/et\/latest-interesting-cybersecurity-news-2026-20-04\/","title":{"rendered":"Latest Interesting Cybersecurity News &#8211; 2026-20-04"},"content":{"rendered":"\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><strong>I go through about 25 cybersecurity news portals and blogs every week and pull out the most interesting stories. <\/strong>Then I turn them into this short, digestible summary, so you can stay up to date without trying to follow 25 different sources yourself. \ud83d\ude31<\/p>\n\n\n\n<p>My aim is to create a summary that gives you the gist without needing to open up the source article. But if you do want to dig deeper, all the sources covering the event are linked below each story.<\/p>\n\n\n\n<p><strong>If you enjoy these, come back next Monday<\/strong><\/p>\n\n\n\n<p><strong>scroll to the bottom to subscribe to the e-mail newsletter.<\/strong><\/p>\n<\/blockquote>\n\n\n\n<h2 class=\"wp-block-heading\">1. Vercel incident traced to compromised third-party AI OAuth app used to take over employee Google Workspace account<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><span style=\"letter-spacing: 0.3px;\">Vercel reported an incident where a compromise of a third-party AI tool led to <\/span><b style=\"letter-spacing: 0.3px;\">takeover of a Vercel employee\u2019s Google Workspace account and access to some internal environments and non-sensitive environment variables<\/b><span style=\"letter-spacing: 0.3px;\">.&nbsp;<\/span><br><div><span style=\"letter-spacing: 0.3px;\"><br><\/span><\/div><div>Vercel is a cloud platform serving <b>6 million developers across 80,000 active teams, <\/b>widely used for deploying web applications and increasingly known for v0, its AI-powered vibe coding tool.<br><\/div><div><span style=\"letter-spacing: 0.3px;\"><br><\/span><\/div><div><span style=\"letter-spacing: 0.3px;\"><b>Vercel says it has contacted a limited subset of customers whose credentials were compromised,<\/b> continues investigating possible data exfiltration, and published an indicator to help others detect the same OAuth app in their Google Workspace environments.<\/span><br><\/div><\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Vercel says the incident <b>originated with a compromise of Context.ai<\/b>, a third-party AI tool used by a Vercel employee.<\/li>\n\n\n<li>The attacker accessed <b>environment variables that were not marked \u201csensitive\u201d<\/b>; Vercel says it currently has no evidence that values marked as \u201csensitive\u201d (stored so they cannot be read) were accessed.<\/li>\n\n\n<li>Vercel initially identified <b>a limited subset of customers whose Vercel credentials were compromised<\/b> and recommended immediate credential rotation to those customers.<\/li>\n\n\n<li>Vercel published a Google Workspace IOC and recommends admins check for <b>the OAuth client ID 110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com<\/b>.<\/li>\n\n\n<li>Vercel says it engaged <b>Mandiant and other incident response support<\/b>, notified law enforcement, and states services remain operational while the investigation continues.<\/li>\n\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>In Google Workspace, immediately check for and remediate usage of <b>OAuth client ID 110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com<\/b>.<\/li>\n\n\n<li>In Vercel, <b>rotate any environment variables that contain secrets but were not marked as \u201csensitive\u201d<\/b>, treating those values as potentially exposed.<\/li>\n\n\n<li>Enable and use <b>Vercel \u201csensitive environment variables\u201d<\/b> for secret values going forward so they cannot be read.<\/li>\n\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/vercel.com\/kb\/bulletin\/vercel-april-2026-security-incident\">Vercel<\/a><\/p>\n\n\n\n\n\n<h2 class=\"wp-block-heading\">2. NIST stops automatically enriching most CVEs in the NVD, prioritizing KEV, federal-used, and EO 14028 \u201ccritical software\u201d issues<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><div>NIST has updated National Vulnerability Database operations so that&nbsp;<strong>only three categories of CVEs will receive automatic enrichment<\/strong>&nbsp;(analysis, metadata, and severity scoring): those in CISA's Known Exploited Vulnerabilities (KEV) catalog, those affecting software used by the US federal government, or those classified as \"critical software\" under Executive Order 14028.&nbsp;<\/div><div><span style=\"letter-spacing: 0.3px;\"><b><br><\/b><\/span><\/div><div><span style=\"letter-spacing: 0.3px;\"><b>Everything else<\/b> \u2014 including vulnerabilities in software widely used outside the US federal ecosystem \u2014 will be listed in the NVD but left unenriched,<b> marked \"Not Scheduled.\"<\/b><\/span><\/div><div><br><\/div><div>This matters because&nbsp;<strong>unenriched CVEs are effectively invisible to most vulnerability management workflows<\/strong>, which depend on NVD metadata to match vulnerabilities to assets and trigger alerts. The change follows a 263% surge in CVE submissions between 2020 and 2025, and shifts the analysis burden onto CNAs, vendors, and security teams themselves \u2014 who must now actively seek out enrichment from alternative sources rather than relying on NVD as a complete, authoritative feed.<\/div><\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Prioritization took effect <b>April 15, 2026<\/b>, with non-qualifying CVEs marked \u201cNot Scheduled\u201d for automatic enrichment.<\/li>\n\n\n<li>NIST said it <b>enriched nearly 42,000 vulnerabilities last year<\/b> and reported 2026 Q1 submissions were nearly one-third higher than the same period in 2025.<\/li>\n\n\n<li>Organizations can request attention for exceptions: NIST said users may <b>email nvd@nist[.]gov to request enrichment or reanalysis<\/b> for specific CVEs when warranted.<\/li>\n\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Update vulnerability-management workflows to <b>treat \u201cNot Scheduled\u201d NVD entries as requiring alternate enrichment sources<\/b> (CNA\/vendor advisories, KEV, and your existing threat-intel feeds) rather than waiting on NVD metadata.<\/li>\n\n\n<li>Adjust any automations that depend on NVD-only scoring to <b>ingest CNA-provided CVSS (or equivalent) where present<\/b>, since NIST may not publish a separate score for those CVEs.<\/li>\n\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.nist.gov\/news-events\/news\/2026\/04\/nist-updates-nvd-operations-address-record-cve-growth\">NIST<\/a>, <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/nist-to-stop-rating-non-priority-flaws-due-to-volume-increase\/\">BleepingComputer<\/a>, <a href=\"https:\/\/thehackernews.com\/2026\/04\/nist-limits-cve-enrichment-after-263.html\">The Hacker News<\/a>, <a href=\"https:\/\/www.darkreading.com\/vulnerabilities-threats\/nist-revamps-cve-framework-to-focus-on-high-impact-vulnerabilities\">Dark Reading<\/a>, <a href=\"https:\/\/cyberscoop.com\/nist-narrows-cve-analysis-nvd\/\">CyberScoop<\/a><\/p>\n\n\n\n\n\n<h2 class=\"wp-block-heading\">3. OpenAI rotates macOS code-signing certificates after GitHub Actions workflow pulled malicious Axios package<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">OpenAI said a GitHub Actions workflow used in its macOS app-signing process <b>downloaded and executed a malicious Axios release<\/b> during the late-March supply-chain compromise, prompting the company to revoke and rotate its Mac code-signing certificate.&nbsp;<div><br><\/div><div><b>OpenAI reported no evidence of user-data access, compromised internal systems\/IP, or altered software, <\/b>but warned older macOS app versions will lose support\/functionality once the old certificate is fully revoked on May 8, 2026.<\/div><\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The Axios maintainer\u2019s npm and GitHub accounts were taken over via social engineering, enabling attackers to publish <b>poisoned Axios versions 1.14.1 and 0.30.4<\/b> that were live for about three hours.<\/li>\n\n\n<li>The malicious Axios releases included a fake dependency (\u201cplain-crypto-js\u201d) that delivered <b>the WAVESHAPER.V2 backdoor<\/b> (reported as cross-platform: Windows\/macOS\/Linux).<\/li>\n\n\n<li>OpenAI said the affected workflow had access to <b>code-signing certificate and notarization material<\/b> for ChatGPT Desktop, Codex, Codex CLI, and Atlas; OpenAI described the incident\u2019s root cause as a GitHub workflow misconfiguration.<\/li>\n\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Ensure macOS fleets are updated to <b>ChatGPT Desktop 1.2026.071+, Codex App 26.406.40811+, Codex CLI 0.119.0+, and Atlas 1.2026.84.2+<\/b> before the May 8, 2026 revocation deadline.<\/li>\n\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/openai-rotates-macos-certs-after-axios-attack-hit-code-signing-workflow\/\">BleepingComputer<\/a>, <a href=\"https:\/\/thehackernews.com\/2026\/04\/openai-revokes-macos-app-certificate.html\">The Hacker News<\/a>, <a href=\"https:\/\/cyberscoop.com\/openai-axios-supply-chain-attack\/\">CyberScoop<\/a>, <a href=\"https:\/\/hackread.com\/openai-macos-certificates-axios-supply-chain-breach\/\">Hackread<\/a>, <a href=\"https:\/\/www.securityweek.com\/openai-impacted-by-north-korea-linked-axios-supply-chain-hack\/\">SecurityWeek<\/a><\/p>\n\n\n\n\n\n<h2 class=\"wp-block-heading\">4. 108 malicious Chrome extensions used shared C2 to exfiltrate sessions and inject arbitrary JavaScript<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">Researchers linked a cluster of 108 Chrome Web Store extensions to a coordinated campaign where <b>all add-ons route stolen credentials, identities, and browsing data to the same command-and-control (C2) backend<\/b>. The extensions masquerade as games and productivity\/Telegram tools but run background code to steal session tokens (including Telegram Web), capture Google identity data via OAuth, and in some cases inject ads or arbitrary JavaScript into pages.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The extensions were published under five identities \u2014 <b>Yana Project, GameGen, SideGames, Rodeo Games, and InterAlt<\/b> \u2014 and collectively reached about <b>20,000 installs<\/b> in the Chrome Web Store.<\/li>\n\n\n<li>Socket found multiple behavior clusters, including <b>54 extensions stealing Google account identity via OAuth2<\/b> and <b>45 using a \u201cuniversal backdoor\u201d that opens arbitrary URLs when the browser starts<\/b>.<\/li>\n\n\n<li>Five add-ons reportedly used Chrome\u2019s <b>declarativeNetRequest API to strip security headers<\/b> (e.g., CSP \/ X-Frame-Options \/ CORS) from targeted sites to enable injected overlays, ads, or scripts.<\/li>\n\n\n<li>Some extensions <b>exfiltrate Telegram Web sessions repeatedly (e.g., every 15 seconds)<\/b> and can manipulate session data to replace a victim\u2019s active Telegram session with attacker-supplied session data.<\/li>\n\n\n<li>All 108 were reported to share infrastructure, with the backend <b>hosted at 144.126.135[.]238<\/b>; campaign-linked developer URLs observed in listings included <b>top[.]rodeo, webuk[.]tech, and interalt[.]net<\/b>.<\/li>\n\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><b>Audit and remove any of the 108 extension IDs<\/b> from managed browsers using the published list: https:\/\/socket.dev\/blog\/108-chrome-ext-linked-to-data-exfil-session-theft-shared-c2<\/li>\n\n\n<li>Add network controls to <b>block connections to 144.126.135[.]238<\/b> and review proxy\/DNS logs for contact with <b>top[.]rodeo<\/b>, <b>webuk[.]tech<\/b>, and <b>interalt[.]net<\/b>.<\/li>\n\n\n<li>If any were installed, <b>log out of all Telegram Web sessions<\/b> from the Telegram mobile app (and remove the extension(s) first).<\/li>\n\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/thehackernews.com\/2026\/04\/108-malicious-chrome-extensions-steal.html\">The Hacker News<\/a>, <a href=\"https:\/\/socket.dev\/blog\/108-chrome-ext-linked-to-data-exfil-session-theft-shared-c2?utm_medium=feed\">Socket<\/a>, <a href=\"https:\/\/cybersecuritynews.com\/chrome-extensions-steal-user-data\/\">Cybersecurity News<\/a><\/p>\n\n\n\n\n\n<h2 class=\"wp-block-heading\">5. Attackers abuse n8n cloud webhook URLs to host phishing flows, deliver malware, and fingerprint email recipients<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">Cisco Talos reports threat actors have been abusing <b>n8n-managed cloud webhook URLs (on *.app.n8n[.]cloud) as trusted-looking infrastructure for phishing<\/b>, including malware delivery and tracking. Because webhook workflows can return web content to the user\u2019s browser (or be triggered by email-client fetches), attackers can make malicious flows appear to originate from a legitimate n8n subdomain.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>In one campaign, a \u201cshared document\u201d lure led to an n8n-hosted page showing a CAPTCHA; completing it <b>triggered a malicious payload download from an external host<\/b> while the browser perceived the flow as coming from the n8n domain.<\/li>\n\n\n<li>A separate pattern used <b>tracking pixels hosted on n8n webhook URLs<\/b>, causing email clients to send HTTP GET requests with tracking parameters (including the victim\u2019s email address) when messages were opened.<\/li>\n\n\n<li><b>Abuse has been observed since at least October 2025<\/b>, leveraging URL-exposed webhooks in the n8n cloud service.<\/li>\n\n\n<li><b>Talos measured a 686% increase in emails containing n8n webhook URLs<\/b> in March 2026 compared with January 2025.<\/li>\n\n\n<li>The malware delivery chain aimed to install an <b>EXE or MSI that deploys modified legitimate RMM tools (e.g., Datto and ITarian Endpoint Management)<\/b> to establish persistence and connect to a C2 server.<\/li>\n\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Add detections and email\/web filtering rules for <b>unexpected links to *.app.n8n[.]cloud (especially webhook URLs) in inbound mail<\/b>, and triage messages using \u201cshared document\u201d + CAPTCHA lures.<\/li>\n\n\n<li>Hunt for <b>downloads of EXE\/MSI installers followed by installation or execution of RMM tooling<\/b> (including Datto and ITarian Endpoint Management) originating from these phishing chains.<\/li>\n\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/thehackernews.com\/2026\/04\/n8n-webhooks-abused-since-october-2025.html\">The Hacker News<\/a><\/p>\n\n\n\n\n\n<h2 class=\"wp-block-heading\">6. Popular note taking app Obsidian community plugins weaponized to trigger cross-platform malware, including new PHANTOMPULSE Windows RAT<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">Elastic Security Labs tracked a campaign (REF6598) where targets are lured via LinkedIn\/Telegram into opening an attacker-controlled Obsidian Sync vault and enabling community plugin sync, after which <b>legitimate Obsidian community plugins are abused to silently execute attacker-defined commands on vault open<\/b>. The chain delivers Windows malware culminating in a previously undocumented RAT (\u201cPHANTOMPULSE\u201d) and a separate macOS path using an AppleScript dropper with Telegram-based fallback C2 resolution.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><b>Victims are given credentials to an attacker-controlled, cloud-hosted Obsidian vault<\/b> and instructed to enable community plugin sync, which is disabled by default and requires user action.<\/li>\n\n\n<li><b>Initial execution is driven by the Obsidian \u201cShell Commands\u201d plugin<\/b>, which can run platform-specific commands on triggers like app startup\/open; the campaign also used the \u201cHider\u201d plugin (v1.6.1) to conceal UI elements.<\/li>\n\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Consider a policy to <b>disable or tightly govern Obsidian community plugins (especially \u201cShell Commands\u201d) on corporate endpoints<\/b>, including guidance that users should not enable \u201cInstalled community plugins\u201d\/\u201cActive community plugin list\u201d sync from untrusted vaults.<\/li>\n\n\n<li>Add detections\/hunts for <b>Obsidian spawning PowerShell<\/b> and for network activity to <b>195.3.222[.]251<\/b> and <b>panel.fefea22134[.]net<\/b> (defang\/format appropriately for your tooling).<\/li>\n\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.elastic.co\/security-labs\/phantom-in-the-vault\">Elastic Security Labs<\/a><\/p>\n\n\n\n\n\n<h2 class=\"wp-block-heading\">7. \u201cGhost APIs\u201d keep deprecated endpoints live, letting attackers bypass modern auth via forgotten interfaces<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">The article warns that <b>deprecated API endpoints often remain reachable in production (\u201cGhost APIs\u201d)<\/b>, creating a gap where systems that are \u201cdead by policy\u201d still work at runtime.&nbsp;<div><br><\/div><div>Because these legacy endpoints can predate MFA\/zero-trust controls and may be rediscovered via archives or GenAI reconstruction, attackers can use them as an easier path to sensitive data\u2014illustrated by the Optus breach tied to an exposed API endpoint.<\/div><\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><b>Ghost APIs differ from Shadow APIs<\/b>: Shadow APIs are unknown\/undocumented, while Ghost APIs are known endpoints that were marked deprecated and removed from docs but never actually disabled.<\/li>\n\n\n<li><b>GenAI can reconstruct deprecated endpoint structures quickly<\/b> using public training data (e.g., old GitHub code, Stack Overflow, archived docs), reducing the effort needed to find and probe old interfaces.<\/li>\n\n\n<li><b>Attackers commonly surface Ghost APIs via predictable URL\/version patterns and archived documentation<\/b> (e.g., brute-forcing \/v1\/, \/legacy\/ and pulling older endpoint maps from the Wayback Machine).<\/li>\n\n\n<li><b>Older endpoints may still accept weaker auth<\/b> (static keys\/basic auth\/older token schemes), which can sometimes be extracted from legacy clients or repositories and used against endpoints that were never upgraded.<\/li>\n\n\n<li><b>Real-world impact example: Optus (2022)<\/b>\u2014a customer-data API endpoint was queried without credentials due to an earlier coding error, leading to exposure of 9.5 million records, with regulators later noting missed opportunities to identify and fix the issue.<\/li>\n\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Run <b>\u201cscream tests\u201d by disabling a deprecated endpoint for 24\u201348 hours<\/b> and monitoring for legitimate breakage before permanent removal.<\/li>\n\n\n<li>Move active APIs to <b>short-lived, identity-scoped tokens (instead of broad long-lived API keys)<\/b> so legacy endpoints that can\u2019t support modern identity enforcement are naturally cut off.<\/li>\n\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/hackread.com\/deprecated-endpoints-attacker-best-friend-ghost-apis\/\">Hackread<\/a><\/p>\n\n\n\n\n\n<h2 class=\"wp-block-heading\">8. UnDefend PoC shows standard users can prevent Microsoft Defender signature updates by locking definition files<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">A newly published proof-of-concept dubbed \u201cUnDefend\u201d demonstrates that <b>a non-admin user can block Microsoft Defender from loading updated malware signatures by holding file locks on Defender\u2019s definition\/update files<\/b>. The technique turns Defender\u2019s update flow against itself\u2014updates can download but fail at load time\u2014leaving endpoints stuck on old signatures until the locking process is stopped.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The PoC relies on <b>Windows file-handle sharing\/byte-range locks<\/b> to deny Defender read access to definition files while still allowing Windows Update to write them, causing signature load failures.<\/li>\n\n\n<li>UnDefend attempts multiple independent locking paths, including <b>locking both the active signatures and the last-known-good backup<\/b> so Defender can\u2019t easily roll back after an update failure.<\/li>\n\n\n<li>It also watches Defender\u2019s definition staging area for changes and then <b>grabs and holds handles to newly modified definition files<\/b> to prevent the Defender engine from reading them during the update\/load step.<\/li>\n\n\n<li>The author notes (but does not publish) an additional capability to <b>misreport Defender \u201cup-to-date\u201d status to EDR\/management consoles<\/b>, implying a path from noisy update failure to stealthy, long-lived degradation.<\/li>\n\n\n<li>Related reporting links the PoC activity to a cluster of recent Microsoft Defender issues\/zero-days, including <b>RedSun and BlueHammer<\/b>, with at least some leaked Windows\/Defender zero-days now reported as exploited in the wild.<\/li>\n\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>If you manage Defender via MDE\/Intune\/SCCM, add a validation check that compares <b>console-reported signature versions vs. on-disk definition timestamps\/versions<\/b> to catch endpoints that \u201creport green\u201d but aren\u2019t actually updating.<\/li>\n\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/thehackernews.com\/2026\/04\/three-microsoft-defender-zero-days.html\">The Hacker News<\/a>, <a href=\"https:\/\/www.csoonline.com\/article\/4160275\/caught-quarantined-re-installed-redsun-turns-microsoft-defender-on-itself.html\">CSO Online<\/a>, <a href=\"https:\/\/www.coresecurity.com\/blog\/analysis-redsun-local-privilege-escalation-defender-remediation-abuse\">Core Security<\/a>, <a href=\"https:\/\/nefariousplan.com\/posts\/undefend\/\">Nefarious Plan<\/a>, <a href=\"https:\/\/nefariousplan.com\/posts\/bluhammer\/\">Nefarious Plan<\/a>, <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/recently-leaked-windows-zero-days-now-exploited-in-attacks\/\">BleepingComputer<\/a><\/p>\n\n\n\n\n\n<h2 class=\"wp-block-heading\">9. Phishers embed fake iPhone purchase lures inside legitimate Apple Account change-alert emails<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">Attackers are abusing Apple\u2019s Apple ID profile-change notifications to deliver <b>callback phishing lures inside legitimately authenticated emails sent from Apple\u2019s servers<\/b>. The emails try to scare recipients with a fake \u201c$899 iPhone purchase\u201d claim and push them to call a phone number, where scammers attempt to extract financial info or persuade victims to install remote access software.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The messages were sent from <b>appleid@id.apple.com and passed SPF, DKIM, and DMARC<\/b>, indicating they were not simple spoofed emails.<\/li>\n\n\n<li>The attacker <b>creates an Apple ID and inserts the phishing text into user-controlled profile fields<\/b> (split across first\/last name), which Apple then includes in its security notification template.<\/li>\n\n\n<li>To trigger the alert, the attacker <b>changes the account\u2019s shipping information<\/b>, prompting Apple to email a \u201cyour account information was updated\u201d notice that now contains the embedded lure.<\/li>\n\n\n<li>BleepingComputer reports the email appeared to originate from <b>Apple mail infrastructure (including an Apple-owned IP address 17.111.110.47)<\/b> based on header analysis.<\/li>\n\n\n<li>Header analysis also indicated <b>the original recipient differed from the final delivery address<\/b>, suggesting the actor may be distributing the messages via a mailing list.<\/li>\n\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Update user guidance\/runbooks so helpdesks and staff treat Apple alerts that <b>include purchase claims or a \u201ccall support\u201d phone number<\/b> as suspicious, even if the message is authenticated.<\/li>\n\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/apple-account-change-alerts-abused-to-send-phishing-emails\/\">BleepingComputer<\/a><\/p>\n\n\n\n\n\n<h2 class=\"wp-block-heading\">Subscribe<\/h2>\n\n\n\n<p>Subscribe to receive this weekly cybersecurity news summary to your inbox every Monday.<\/p>\n\n\n                <div class=\"ml-embedded\" data-form=\"pKq7EM\"><\/div>\n            ","protected":false},"excerpt":{"rendered":"<p>Latest interesting cybersecurity news from April 2026<\/p>","protected":false},"author":1,"featured_media":21736,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[32],"tags":[],"class_list":["post-21735","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts\/21735","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/comments?post=21735"}],"version-history":[{"count":1,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts\/21735\/revisions"}],"predecessor-version":[{"id":21737,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts\/21735\/revisions\/21737"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/media\/21736"}],"wp:attachment":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/media?parent=21735"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/categories?post=21735"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/tags?post=21735"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}