Cybercriminals used the legitimacy of Salesforce’s email gateway to bypass security scanners and target Meta customers in an effort to steal Facebook credentials.
One of the initial challenges any phishing attack has is to make it past security measures designed to scan and identify malicious emails. One such way is to misuse a legitimate well-known platform’s outbound sending of emails. We saw this recently with legitimate Paypal invoices being sent to unwitting victims, using Paypal’s own outbound email system as the delivery mechanism. And because the email is actually from Paypal, of course it’s going to make its way to the Inbox.
A new attack on Meta customers has been uncovered whereby cybercriminals misuse Salesforce’s “Email-To-Case” feature, which converts emails inbound to Salesforce into helpdesk tickets, resulting in a legitimate outbound email being sent. Coming from an @salesforce.com domain means that security scanners are going to let the email through every time.
In this particular scam, Facebook was impersonated, with the recipient being told they had violated guidelines and needed to “request a review” which took them to a spoofed Facebook login page to capture the credentials.
These kinds of attacks go to show you that you can’t trust any email – regardless of who sends it, what domain it’s from, whether it looks legitimate, etc. Users that undergo security awareness training have a much better understanding of this and are less likely to engage with such content, regardless of how legitimate it may look.