Hackers exploited a zero-day vulnerability in Salesforce’s legitimate email services and SMTP servers to target Facebook users with phishing emails.
The campaign was discovered by Guardio Labs analysts Oleg Zaytsev and Nati Tal, who reported the unknown vulnerability to Salesforce and helped them with the remediation process.
Guardio Labs says the attackers figured out a way to exploit Salesforce’s “Email-to-Case” feature, which organizations use for converting incoming customer emails to actionable tickets for their support teams.
Specifically, the attackers set up a new “Email-to-Case” flow to gain control of a Salesforce-generated email address, then created a new inbound email address on the “salesforce.com” domain.
Next, they set that address as an “Organization-Wide Email Address,” which Salesforce’s Mass Mailer Gateway uses for outbound emails, and finally went through the verification process to confirm ownership of the domain.
This process allowed them to use their Salesforce email address to send out messages to anyone, bypassing both Salesforce’s verification protections and any other email filters and anti-phishing systems in place.
Indeed, this is what Guardio Labs observed in the wild, with phishing emails that supposedly came from “Meta Platforms” using the “case.salesforce.com” domain.
Clicking on the embedded button takes the victim to a phishing page hosted and displayed as part of the Facebook gaming platform (“apps.facebook.com”), which adds further legitimacy to the attack and makes it even harder for the email recipients to realize the fraud.
The goal of the phishing kit employed in this campaign is to steal Facebook account credentials, even featuring two-factor authentication bypassing mechanisms.
Guardio Labs says they’ve contacted Meta’s Engineering and security teams and provided all the details about this abuse.
“We’re doing a root cause analysis to see why our detections and mitigations for these sorts of attacks didn’t work” (Meta’s Engineering)
Meta removed the violating pages upon Guardio Labs’ report; however, its engineers are still investigating why existing protections failed to stop the attacks.
Bijay Pokharel
Related posts
Recent Posts
Subscribe
Cybersecurity Newsletter
You have Successfully Subscribed!
Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox. You are also consenting to our Privacy Policy and Terms of Use.