Hackers exploit Salesforce email zero-day for Facebook phishing campaign

The threat actors used a vulnerability named “PhishForce” to conceal malicious email traffic in Salesforce’s legitimate email gateway services, capitalising on Salesforce and Meta’s size and reputation.

The attackers managed to evade conventional detection methods by “leveraging Salesforce’s domain and reputation and exploiting legacy quirks in Facebook’s web games platform,” the researchers added.

Salesforce has around 150,000 clients, a significant number of which are small businesses. Security vulnerabilities like these could be especially detrimental to SMBs, up to and including the closure of their business, if hackers get access to their sensitive data.

The Email Gateway feature is an important part of the Salesforce CRM. It consists of specialised servers dedicated to efficiently sending a large volume of email notifications and messages to customers worldwide.

Customers using the Salesforce CRM can send emails under their own brand by using custom domains. However, to ensure security and prevent abuse, the system follows a process of validating the ownership of the domain name before allowing emails to be sent.

The validation step ensures that only legitimate and authorised users can use custom domains for sending emails through the Salesforce platform.

In this phishing campaign, however, the fraudulent email messages appeared to come from Meta, while actually being sent from an email address with a “@salesforce.com” domain.

The campaign’s primary objective is to trick recipients into clicking on a link by claiming their Facebook accounts are under investigation, due to alleged involvement in impersonation activities (oh, the irony).

Upon clicking the embedded button, the victim is redirected to a rogue landing page hosted and displayed as part of the Facebook gaming platform (“apps.facebook.com”).

This tactic adds further legitimacy to the attack, making it significantly more challenging for email recipients to discern the page’s fraudulent nature.

The landing page is designed to capture the victim’s account credentials, as well as any two-factor authentication (2FA) codes they might enter.

Swift response

Upon replicating the creation of a Salesforce-branded address…