The Bleeping Computer website disclosed that cyber attackers exploited vulnerabilities in Salesforce's email service and SMTP server to launch a sophisticated phishing campaign targeting certain Facebook accounts.
It is reported that cyber attackers use reputable email gateways such as Salesforce to distribute phishing emails, which can help them circumvent secure email gateways and filtering rules to ensure that malicious emails can reach the target inbox.
Some time ago, Guardio Labs analysts Oleg Zaytsev and Nati Tal discovered the vulnerability, reported it to Salesforce and helped fix the vulnerability, however the vulnerability on the Facebook Gaming platform is still pending, and Meta engineers are still working hard to find existing mitigations Reasons why measures are not effective in preventing attacks.
PhishForce vulnerability exploited in attacks
Salesforce CRM allows customers to use custom domain names to send emails as their own "brand," but those domains must be verified by the platform, which prevents customers from sending emails through Salesforce for other brands that they do not have the right to impersonate. Unfortunately, Guardio Labs says cyberattackers found a way to exploit Salesforce's "Email-to-Case" feature.
Specifically, the attacker sets up a new "Email-to-Case" process to gain control of the Salesforce-generated email address, and then creates a new inbound email address on the "salesforce.com" domain. .
Generated Salesforce address (Guardio Labs)
Next, the cyber attackers set the address as an "organization-wide email address," which Salesforce's Mass Mailer Gateway uses for outbound email, and eventually goes through a verification process to confirm ownership of the domain.
Click on the verification link to confirm ownership (Guardio Labs)
The entire process allows cyber attackers to send messages to anyone using their own Salesforce email address, thereby bypassing Salesforce's verification protections as well as any other email filters and anti-phishing systems.
In fact, this is what Guardio Labs recently observed in the wild, with phishing emails allegedly originating from "Meta Platforms" using the "case.salesforce.com" domain.
Phishing email samples extracted from real attacks (Guardio Labs)
Once the victim clicks on the embedded button, they are taken to a phishing page hosted and displayed as part of the Facebook Gaming Platform ("apps.facebook.com"), which adds more legitimacy and persuasiveness to the attack. It’s harder for email recipients to become aware of fraud.
Phishing page hosted on Facebook Gaming Platform (Guardio Labs)
Guardio pointed out that the purpose of the phishing kit used in this cyberattack is to steal Facebook account credentials and even have the feature of bypassing two-factor authentication mechanisms.
Observed attack chain (Guardio Labs)
Meta is actively investigating the cyber attack
On June 28, 2023, Guardio Labs discovered the vulnerability and reported it to Facebook. A month later, Guardio Labs reproduced the vulnerability and solved the problem. Regarding the abuse of "apps.facebook.com," Guardio Labs noted that it should be impossible for an attacker to create a game solicitation that serves as a login page. After receiving a report from Guardio Labs, Meta removed the offending page and its engineers are still investigating why existing protections failed to prevent the attack.
As phishing actors continue to explore every potential opportunity for abuse by legitimate service providers, new security vulnerabilities continue to threaten users, putting them at serious risk. So users cannot just rely on email protection solutions, but must also scrutinize every message in their inbox, looking for inconsistencies and double-checking all claims in the message.