The Guardio research team discovered an email phishing campaign exploiting a zero-day vulnerability in Salesforce’s legitimate email services and SMTP servers.
Phishing email sample as was sent from the “@salesforce.com” email address
The vulnerability allowed threat actors to craft targeted phishing emails, evading conventional detection methods by leveraging Salesforce’s domain and reputation and exploiting legacy quirks in Facebook’s web games platform.
83% of organizations face phishing attacks every year, and mass-market emails are the most prevalent form of phishing, disguised as emails from reputable companies, through which recipients are deceived into taking harmful actions like downloading malware or clicking on malicious links which expose credentials to social and financial accounts.
Using phishing techniques, the threat actors successfully hid malicious email traffic within legitimate and trusted email gateway services, allowing them to capitalize on the companies’ volume and reputation.
- The phishing emails appeared authentic, mentioning the target’s real name and successfully bypassing traditional anti-spam and anti-phishing mechanisms, as they included legitimate links to Facebook and originated from the @salesforce.com email address.
- Threat actors exploited Salesforce’s “Email-To-Case” feature, which is designed to convert customer inbound emails into actional tickets, allowing them to receive verification emails and gain control of a genuine @salesforce.com email address for their malicious phishing endeavors.
Phishing campaign flow: From Salesforce to phishing kit hiding in Facebook’s web games platform
Following successfully identifying the scheme, Guardio disclosed their findings to Salesforce and Meta, and both companies addressed the issue.
“This incident with Salesforce highlights the importance for service providers to exercise additional caution and implement stringent measures to prevent abuse of legitimate services for malicious activities,” said Nati Tal, Head of Guardio Labs. “We commend Salesforce and Meta for their prompt actions and ongoing efforts to bolster the security and resilience of their platforms. We advise other service providers to follow suit, securing data gateways and bolstering verification processes.”