A zero-day vulnerability in Salesforce’s email services and SMTP servers [1] [3] [4], known as “PhishForce,” was exploited by hackers in a sophisticated email phishing campaign targeting valuable Facebook accounts.
Description
The flaw allowed the attackers to bypass sender verification safeguards and send phishing emails using Salesforce’s reputable email gateway [4]. They exploited Salesforce’s “Email-to-Case” feature to gain control of a Salesforce-generated email address and sent phishing emails claiming to be from “Meta Platforms” using the “case.salesforce.com” domain. The phishing emails directed victims to a phishing page hosted on the Facebook gaming platform [4], aiming to steal Facebook account credentials [4]. The attackers created a landing page through the “@salesforce.com” domain to deliver a payload [5], redirecting victims to an “apps.facebook.com” site where they would enter their credentials and any 2-factor authentication codes [5].
Guardio Labs analysts discovered the campaign and promptly reported the vulnerability to Salesforce on June 28th. Salesforce quickly resolved the vulnerability by releasing a patch that checks the validity of the domain before initiating the address verification process, preventing the use of a Salesforce domain to send emails [2]. However, issues with Facebook’s game platform are still being investigated [4].
Conclusion
Users should remain vigilant and scrutinize all emails for inconsistencies and claims made in the messages [4]. Organizations are advised to fortify their verification processes and supplement traditional anti-phishing methods with advanced technologies when dealing with zero-day vulnerabilities [1]. Continuous monitoring of email traffic and regular review and update of legacy systems are crucial for a solid defense against such attacks. Service providers should be vigilant and implement measures to prevent future abuse [5].
References
[1] https://www.infosecurity-magazine.com/news/phishing-exploits-0-day-salesforce/
[2] https://www.scmagazine.com/news/attackerssalesforcefacebook-phishing-attacks
[3] https://cybersecuritynews.com/salesforce-email-zero-day/
[4] https://www.redpacketsecurity.com/hackers-exploited-salesforce-zero-day-in-facebook-phishing-attack/
[5] https://www.linkedin.com/pulse/hackers-exploited-salesforce-email-zero-day-facebook-phishing-hart
