Highlights:

  • This sophisticated attack, dubbed PhishForce, is designed to evade detection by both Facebook and Salesforce.com.
  • The researchers discovered that the perpetrators performed an additional action that ties everything together.

Guardio Labs security researchers have discovered a new, unpatched vulnerability involving a sophisticated email phishing campaign.

Salesforce Inc. clients are targeted, and the attack involves mimicking the company’s email servers and domains. Identifying and resolving the problem exposes a great deal about how security teams can collaborate to combat phishing.

This sophisticated attack, dubbed PhishForce, is designed to evade detection by both Facebook and Salesforce.com. It employs a tried-and-true tactic: sending malevolent emails and concealing them within normally trusted mail gateways so protection shields do not challenge them. The researchers discovered a solitary suspicious email message which prompted their investigation.

The message contains a “@salesforce.com” domain but is designated as originating from “Meta Platforms.” This should be a red flag that the email is a fraud attempt. The large blue icon is also incorrectly labeled “Request a Review.” Users are redirected to a phishing page designed to steal their Facebook account information by selecting this icon.

The second indicator is that the fraud page is hosted by Facebook and is disguised as a game. However, the portal contains additional content that is unrelated to games. Here is where the intelligence comes into play: The malicious email has a legitimate link to facebook.com and is sent using the legitimate email gateway services of salesforce.com. In essence, the malevolent email is concealed by this impression of respectability.

The researchers discovered that the attackers performed an additional action that tied everything together. It used a trouble-ticketing system to transmit emails from the email address “case.salesforce.com,” which is ordinarily used to receive emails.

The role reversal is crucial to understanding how the entire attack occurred. Salesforce was notified by Guardio at the end of June, and the vulnerability was patched and deployed across the company’s infrastructure within a month. Additionally, it contacted Facebook, which subsequently deleted the malicious gaming accounts.

The researchers said, “The Salesforce security team was effective and responsive, taking these kinds of issues very seriously and prioritizing them accordingly. Bad actors are continuously testing the limits of email distribution infrastructure and existing security measures. [Service providers should] take proactive steps to keep scammers away from secure and reputable mail gateways.”

Undoubtedly, the fight against phishing will persist. PhishForce teaches users to always look for inconsistencies and never to presume that an email is safe because it comes from a legitimate domain.