Received a strange email in Russian with contents of one of my Notes! Is this a vulnerability issue?

Yesterday, a colleague received a Russian spam email to our product’s support email account. This isn’t unusual but he translated it out of interest and found that it was the majority of one of his notes from Notes on his Mac. We’ve been investigating since but found no explanation or cause so far.

A day or so before, he’d deleted that note from Notes but copied the contents of it into his clipboard to paste it elsewhere.

He’s now changed his passwords, particularly on his iCloud account, email etc and run a virus scan of his Mac which was clean. He’s running the latest MacOS and iOS versions and was prior to copying/deleting the note in question.

The strange things are that the note wasn’t sent to his iCloud email address, it was to a completely unassociated support email, so it seems like this iCloud account wasn’t compromised. The rest of the spam email was genuine spam linked to medical equipment and other random things rather than any threats or ransom-type messages.

It almost feels like he may have inadvertently visited a compromised website after copying his note text which pulled it from his clipboard through Safari. Or maybe used a compromised app in his phone or Mac.

We’re trying to figure out how this could have happened and would appreciate the thoughts of the community. Are there any know vulnerabilities which could cause this? I’ve heard of the universal clipboard causing headaches but I thought it notified if something pasted from it without your knowledge?

Any help or suggestions would be appreciated.