Researchers have discovered a new phishing campaign targeting Facebook accounts while exploiting a Salesforce zero-day. The vulnerability under attack affects the Salesforce SMTP servers and email services, allowing an adversary to send the phishing emails via a credible gateway.
Salesforce Zero-Day Used For Facebook Phishing Campaign
As elaborated in a detailed post from Guardio Labs, their researchers detected an active Facebook phishing campaign exploiting a Salesforce SMTP server zero-day.
Specifically, the vulnerability, identified as “PhishForce,” allows an adversary to evade the existing Salesforce sender verification measures. Hence, an attacker may exploit the flaw to generate phishing emails exploiting the legit Salesforce domain and infrastructure.
That’s what the attackers did in a recent phishing campaign. However, they didn’t solely exploit the Salesforce zero-day but also exploited a vulnerability in Facebook’s web games platform.
The attackers chained the two flaws to generate phishing emails, impersonating Meta as the email sender. The attackers also crafted a well-designed email body, with the message carrying a warning for the recipient about having detected multiple Facebook accounts.
Moreover, the text even includes legit names of the target users, luring them into submitting their Facebook account credentials. It also includes legit redirect links with “facebook.com” that help the email anti-spam security measures.
However, the conflict between the email sender’s name (Meta Platforms) and the sender’s email address domain (carrying “salesforce” in it) alarmed the researchers.
Describing the attack strategy, the researchers stated that the attackers gained control of a Salesforce-generated domain by creating a new “Email-to-Case” flow. While the Salesforce “case” feature generates inbound emails to actionable tickets, the attackers set up the Salesforce address as the “Organization-Wide Email Address,” which the system uses for outbound mass mailing. This manipulation allowed the attackers to use the Salesforce domain for sending phishing emails.
Upon discovering this phishing campaign, the researchers reported the respective vulnerabilities to both Salesforce and Meta. While Salesforce has already patched the flaw, Meta continues investigating the matter.
Once again, this campaign emphasizes the users’ vigilance to verify unsolicited emails before interaction.
Let us know your thoughts in the comments.