Phishers Exploit Salesforce’s Email Services Zero-Day in Targeted Facebook Campaign

A sophisticated Facebook phishing campaign has been observed exploiting a zero-day flaw in Salesforce’s email services, allowing threat actors to craft targeted phishing messages using the company’s domain and infrastructure.

“Those phishing campaigns cleverly evade conventional detection methods by chaining the Salesforce vulnerability and legacy quirks in Facebook’s Web Games platform,” Guardio Labs researchers Oleg Zaytsev and Nati Tal said in a report shared with The Hacker News.

The email messages masquerade as coming from Meta, while being sent from an email address with a “@salesforce.com” domain. They seek to trick recipients into clicking on a link by claiming that their Facebook accounts are undergoing a “comprehensive investigation” due to “suspicions of engaging in impersonation.”

The goal is to direct users to a rogue landing page that’s designed to capture the victim’s account credentials and two-factor authentication (2FA) codes. What makes the attack notable is that the phishing kit is hosted as a game under the Facebook apps platform using the domain apps.facebook[.]com.

“So it’s a no-brainer why we’ve seen this email slipping through traditional anti-spam and anti-phishing mechanisms. It includes legit links (to facebook.com) and is sent from a legit email address of @salesforce.com, one of the world’s leading CRM providers,” the researchers explained.

It’s worth pointing out that Meta retired the Web Games feature in July 2020, although it’s possible to retain support for legacy games that were developed prior to its deprecation.

While sending out emails using a salesforce.com entails a validation step, Guardio Labs said the scheme cleverly gets around these protective measures by configuring an Email-to-Case inbound routing email address that uses the salesforce.com domain and setting it up as the organization-wide email address.

“This triggers the verification flow that sends the email to this routing address, ending up as a new task in our system,” the researchers said, pointing out it leads to a scenario where a salesforce.com email address can be verified simply by clicking on the link accompanying the request to add the actor-controlled address.

“From here you just go on and create any kind of phishing scheme, even targeting Salesforce customers directly with these kinds of emails. And the above will end up in the victim’s inbox, bypassing anti-spam and anti-phishing mechanisms, and even marked as Important by Google.”

Following responsible disclosure on June 28, 2023, Salesforce addressed the zero-day as of July 28, 2023, with new checks that prevent the use of email addresses from the @salesforce.com domain.

The development comes as Cofense warned of increased phishing activity that employs Google Accelerated Mobile Pages (AMP) URLs to bypass security checks and conduct credential theft.

That said, this is by no means the first time phony notifications related to Facebook have been employed in the wild. In December 2022, Trustwave detailed a social engineering attack that redirects victims into bogus credential harvesting pages under the guise of appealing against a copyright violation.

“The prevalence of phishing attacks and scams remains high, with bad actors continuously testing the limits of email distribution infrastructure and existing security measures,” the researchers said.

“A concerning aspect of this ongoing battle is the exploitation of seemingly legitimate services, such as CRMs, marketing platforms, and cloud-based workspaces, to carry out malicious activities.”