Salesforce’s Email Services Exploited in Sophisticated Phishing Campaign

A recent phishing campaign was discovered by the Guardio research team [6], revealing a zero-day vulnerability in Salesforce’s email services and SMTP servers [3] [6]. This allowed hackers to create convincing phishing emails that bypassed traditional anti-spam and anti-phishing measures [6].


The flaw [3], known as “PhishForce,” enabled attackers to exploit sender verification safeguards and send phishing emails through Salesforce’s domain and infrastructure [3]. These emails [2] [4], falsely claiming to be from Meta but actually sent from an “” domain, aimed to deceive recipients into clicking on a link by falsely claiming their Facebook accounts were under investigation [1] [2] [4]. The phishing kit was cleverly hosted as a game on the Facebook apps platform [1] [2] [4], making it difficult to detect [1] [2] [4] [6]. The attackers also configured an Email-to-Case inbound routing email address using the domain [1] [2] [4], allowing them to directly target Salesforce customers.

The phishing campaigns attempted to trick users into visiting a fake Facebook page to steal their login information and two-factor authentication details [5]. Salesforce and Meta promptly addressed the issue and provided a fix [5], but the researchers express concern over the increasing sophistication of phishing attacks that combine legitimate services to evade detection [5]. Guardio Labs disclosed these findings and collaborated with Salesforce and Meta to close the vulnerabilities [5].


The prevalence of phishing attacks and scams remains high [5], with threat actors exploiting seemingly legitimate services for malicious activities [5]. Service providers must take proactive measures to enhance verification processes and promptly identify any misuse of mail gateways [5]. It is crucial to stay vigilant and continue developing strategies to combat the evolving tactics of phishing attacks.