Hackers have been using a zero-day hole in Salesforce email services and SMTP servers, enabling malicious actors to specifically target Facebook users.
According to Guardio Labs the threat actors used a vulnerability named “PhishForce” to conceal malicious email traffic in Salesforce’s legitimate email gateway services, capitalising on Salesforce and Meta’s size and reputation.
The attackers managed to evade conventional detection methods by “using Salesforce’s domain and reputation and exploiting legacy quirks in Facebook’s web games platform,” the researchers said.
Salesforce has around 150,000 clients, a significant number of which are small businesses.
The Email Gateway is an important part of the Salesforce CRM. It consists of specialised servers dedicated to efficiently sending a large volume of email notifications and messages to customers worldwide.
Customers using the Salesforce CRM can send emails under their own brand by using custom domains. However, to ensure security and prevent abuse, the system follows a process of validating the ownership of the domain name before allowing emails to be sent.
The validation step ensures that only legitimate and authorised users can use custom domains for sending emails through the Salesforce platform.
In this phishing campaign, however, the fraudulent email messages appeared to come from Meta, while actually being sent from an email address with a “@salesforce.com” domain.
The landing page is designed to capture the victim’s account credentials, as well as any two-factor authentication (2FA) codes they might enter.
Upon replicating the creation of a Salesforce-branded address capable of distributing phishing emails, Guardio Labs verified the issue and promptly notified the vendor about its discovery .
Salesforce addressed the zero-day vulnerability on the same day.