A zero-day vulnerability in Salesforce’s email services and SMTP servers   , known as “PhishForce,” was exploited by hackers in a sophisticated email phishing campaign targeting valuable Facebook accounts.
The flaw allowed the attackers to bypass sender verification safeguards and send phishing emails using Salesforce’s reputable email gateway . They exploited Salesforce’s “Email-to-Case” feature to gain control of a Salesforce-generated email address and sent phishing emails claiming to be from “Meta Platforms” using the “case.salesforce.com” domain. The phishing emails directed victims to a phishing page hosted on the Facebook gaming platform , aiming to steal Facebook account credentials . The attackers created a landing page through the “@salesforce.com” domain to deliver a payload , redirecting victims to an “apps.facebook.com” site where they would enter their credentials and any 2-factor authentication codes .
Guardio Labs analysts discovered the campaign and promptly reported the vulnerability to Salesforce on June 28th. Salesforce quickly resolved the vulnerability by releasing a patch that checks the validity of the domain before initiating the address verification process, preventing the use of a Salesforce domain to send emails . However, issues with Facebook’s game platform are still being investigated .
Users should remain vigilant and scrutinize all emails for inconsistencies and claims made in the messages . Organizations are advised to fortify their verification processes and supplement traditional anti-phishing methods with advanced technologies when dealing with zero-day vulnerabilities . Continuous monitoring of email traffic and regular review and update of legacy systems are crucial for a solid defense against such attacks. Service providers should be vigilant and implement measures to prevent future abuse .