Hackers exploited a zero-day vulnerability in the email services and SMTP servers of Salesforce.
Malicious email traffic is often concealed within email gateway services that are considered legitimate and trustworthy.
Gateways are very important as they act as gatekeepers, making sure that there is no misuse by carefully verifying the ownership of each email address used.
It was discovered by Guardio Labs that attackers use Sophisticated methods to bypass the safeguard services.
Salesforce Phishing Email
The big blue button sends the target to the phishing page built to grab the Facebook account details.
How Salesforce Validates Domain Ownership
The Salesforce system validates the domain ownership before sending out an email.
Email addresses must be verified to send out emails using it. Clicking the verification link allows the salesforce backend to configure outgoing emails.
Guardio, Manipulated POST request sent to Salesforce’s BE to trigger the email transmission by changing the sender’s address to other values. However, the operation was blocked.
Still, How do the Attackers find a way around these measures?
The From address field’s domain is built of a sub-domain generated per a specific Salesforce account.
Guardio Labs says attackers exploit Salesforce’s “Email-to-Case” feature, which organizations turn incoming customer emails into actionable tickets for their support teams.
Took Advantage of Salesforce Feature
Guardio lab found that the attackers use the “Email-To-Case” flow — gaining full control of the username part of the generated salesforce email address.
Set this address as an “Organization-Wide Email Address,” which Salesforce’s Mass Mailer Gateway uses for outgoing email, and finally went through the verification process to confirm ownership of the domain.
Through this, an attacker could create any phishing scheme.
It will end up in the victim’s inbox, bypassing anti-spam and anti-phishing mechanisms, and even marked as Important by Google
As of the 28th of July, ’23, the vulnerability was resolved, and a fix was deployed affecting all Salesforce services and instances.
Meta engineers are still investigating why existing protections failed to stop the attacks.
“We’re doing a root cause analysis to see why our detections and mitigations for these sorts of attacks didn’t work” (Meta’s Engineering)