company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO

Application Security Engineer

DevsecOps Engineer

IT Manager

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

Zero Day

Phishing

loading..
loading..
loading..

Salesforce Zero-Day Exploited to Phish Facebook Credentials

Unraveling the sophisticated phishing campaign that leveraged a zero-day flaw in Salesforce's email services to deceive Facebook users

05-Aug-2023
3 min read

A recently witnessed incident involving a zero-day exploit in Salesforce's email and SMTP services was cleverly manipulated by attackers to orchestrate a highly targeted phishing campaign to steal Facebook credentials. Guardio researchers discovered the attack, which ingeniously concealed malicious activity under the guise of a legitimate Salesforce infrastructure. In this Threatfeed, we will delve into the contextual nuances of this sophisticated attack, analyze the impact on both Salesforce & Facebook and explore crucial security measures to fortify legitimate mail gateways against such evolving threats.

A Salesforce Email-Validation Flaw

The cunning attackers harnessed a zero-day vulnerability within Salesforce's email-validation mechanism, enabling them to masquerade as "@salesforce.com" email addresses and thus bypass traditional anti-spam and anti-phishing mechanisms. The phishing emails, seemingly from "Meta Platforms," contained authentic links to the Facebook platform, further lending credibility to the attackers' sinister plot.

Elusive Phishing Scam

To ensnare unsuspecting Facebook users, the malicious emails directed recipients to a legitimate Facebook domain, "apps.facebook.com." Once on this seemingly harmless page, users were informed of a fictitious violation of Facebook's terms of service. A strategically placed button then redirected users to a phishing page, where personal information, including full names, account names, email addresses, phone numbers, and passwords, were illicitly collected.

Salesforce's Response

Though the attackers executed the phishing campaign with apparent finesse, Salesforce promptly detected the breach. The company's security team, collaborating with Guardio researchers and law enforcement, swiftly addressed the issue, neutralizing the zero-day vulnerability and mitigating any potential impact on customer data. Salesforce demonstrated a commitment to transparency and promptly disclosed the incident to its users.

Abusing Facebook's Legacy Game

Meanwhile, on the Facebook side, the attackers took advantage of legacy game canvases created prior to the discontinuation of the feature. By leveraging these accounts, the threat actors surreptitiously inserted malicious content directly into the Facebook platform, bypassing two-factor authentication mechanisms. However, Meta Platforms, Facebook's parent company, reacted swiftly and eliminated the malevolent accounts and Web games.

Analyzing the Security Gap

The Salesforce zero-day exploit and its exploitation in phishing attacks highlight a disconcerting security gap. Threat actors have discovered avenues to launch sophisticated phishing campaigns, exploiting legitimate services like CRMs and cloud-based platforms. Traditional security measures often struggle to keep up with the ever-evolving tactics of malicious actors.

Protecting Legitimate Mail Gateways: A Call to Action

The prevalence of phishing scams underscores the urgency for service providers to bolster security measures, protecting their platforms from exploitation. To counteract phishing attempts that exploit secure and reputable mail gateways, stringent verification processes must be implemented to authenticate user legitimacy. Additionally, continuous monitoring and analysis are crucial to identify and mitigate misuse of the gateway swiftly.