Hackers exploited a zero-day vulnerability in Salesforce’s legitimate email services and SMTP servers to target Facebook users with phishing emails.

The campaign was discovered by Guardio Labs analysts Oleg Zaytsev and Nati Tal, who reported the unknown vulnerability to Salesforce and helped them with the remediation process.

Guardio Labs says the attackers figured out a way to exploit Salesforce’s “Email-to-Case” feature, which organizations use for converting incoming customer emails to actionable tickets for their support teams.

Specifically, the attackers set up a new “Email-to-Case” flow to gain control of a Salesforce-generated email address, then created a new inbound email address on the “salesforce.com” domain.

Generated Salesforce address (Guardio Labs)

Next, they set that address as an “Organization-Wide Email Address,” which Salesforce’s Mass Mailer Gateway uses for outbound emails, and finally went through the verification process to confirm ownership of the domain.

Clicking on the verification link to confirm ownership (Guardio Labs)

This process allowed them to use their Salesforce email address to send out messages to anyone, bypassing both Salesforce’s verification protections and any other email filters and anti-phishing systems in place.

Indeed, this is what Guardio Labs observed in the wild, with phishing emails that supposedly came from “Meta Platforms” using the “case.salesforce.com” domain.

Buy Me A Coffee
Phishing email sampled from a real attack (Guardio Labs)

Clicking on the embedded button takes the victim to a phishing page hosted and displayed as part of the Facebook gaming platform (“apps.facebook.com”), which adds further legitimacy to the attack and makes it even harder for the email recipients to realize the fraud.

Phishing page hosted on the Facebook gaming platform (Guardio Labs)

The goal of the phishing kit employed in this campaign is to steal Facebook account credentials, even featuring two-factor authentication bypassing mechanisms.

The observed attack chain (Guardio Labs)

Guardio Labs says they’ve contacted Meta’s Engineering and security teams and provided all the details about this abuse.

“We’re doing a root cause analysis to see why our detections and mitigations for these sorts of attacks didn’t work” (Meta’s Engineering)

Meta removed the violating pages upon Guardio Labs’ report; however, its engineers are still investigating why existing protections failed to stop the attacks.

READ
Critical Vulnerability Found in LiteSpeed Cache Plugin, Affecting Millions of WordPress Sites