Cybercriminals exploited a zero-day — or previously unknown — software vulnerability in Salesforce’s email services to launch a “sophisticated” phishing campaign, the Guardio Labs’ cybersecurity team reported on Thursday.
The attackers, exploiting a flaw the Guardio team dubbed “PhishForce,” managed to bypass Salesforce’s sender verification safeguards and exploit “legacy” (or old) quirks in Facebook’s web games platform to send bulk phishing emails that appeared to come from “@salesforce.com.”
Following the discovery, Guardio Labs promptly notified Salesforce, and the firm’s security team responded swiftly by reproducing the issue and fixing it.
“As of the 28th of July ’23, the vulnerability was resolved and a fix was deployed affecting all Salesforce services and instances,” Guardio’s cybersecurity solutions wing, Guardio Labs, said in a report.
The phishing campaign also involved abuse of “apps.facebook.com,” which Meta addressed by removing the malicious accounts. According to the report, Meta’s engineers are investigating why their existing protections were ineffective at stopping these attacks.
Uncovering the Phishing Campaign
The phishing campaign was meticulously orchestrated. The emails appeared to be from “Meta Platforms” and were personalized, creating an air of authenticity, the report said.
In the emails, victims received warnings of account compromises and impending suspensions, urging them to take immediate action by clicking an embedded button.
Upon clicking the button, the victims were led to a phishing page hosted on Facebook’s gaming platform, designed to steal their Facebook account details.
The attackers exploited the Salesforce domain and SMTP (email message delivery) servers to send these emails, making them appear legitimate and harder to detect by traditional anti-spam and anti-phishing mechanisms, the report said.
To achieve this elaborate trick, the attackers leveraged a clever maneuver by manipulating the Salesforce email verification process.
By creating an “Email-To-Case” flow, Guardio Labs explained, they gained control over the username part of the generated salesforce email address. This allowed them to create email addresses that looked exactly like legitimate ones.
The attackers used these addresses as part of an “Organization-Wide Email Address” to make the Salesforce Mass Mailer Gateway use them in the official outbound flow.
Following the discovery, Guardio Labs immediately jumped into action, working in close collaboration with Salesforce and Meta to dislodge the threats.
Phishing Threats Continue to Evolve
As phishing threats continue to evolve and leverage popular websites, relying solely on email protection solutions may not be enough. It is crucial to scrutinize emails for inconsistencies, such as grammatical errors and strange requests. Also, verify claims before clicking on links or taking any action.
We recommend exercising caution with emails from unknown senders. Read our guide to phishing to learn about common tactics that cybercriminals use and how to avoid falling for these deceptive schemes.
Follow us on Twitter, Threads, and Mastodon for more news and tips surrounding the evolving phishing threat landscape.
