Hackers Exploit Salesforce Email Zero-day Flaw in Facebook Targeted Phishing Attack

Hackers exploited a zero-day vulnerability in the email services and SMTP servers of Salesforce.

Malicious email traffic is often concealed within email gateway services that are considered legitimate and trustworthy.

Gateways are very important as they act as gatekeepers, making sure that there is no misuse by carefully verifying the ownership of each email address used.

It was discovered by Guardio Labs that attackers use Sophisticated methods to bypass the safeguard services.

Salesforce Phishing Email

The big blue button sends the target to the phishing page built to grab the Facebook account details.

This page is hosted as a game under the Facebook apps platform using the domain apps.facebook.com.

How Salesforce Validates Domain Ownership

The Salesforce system validates the domain ownership before sending out an email.

Email addresses must be verified to send out emails using it. Clicking the verification link allows the salesforce backend to configure outgoing emails.

POST Request

Guardio, Manipulated POST request sent to Salesforce’s BE to trigger the email transmission by changing the sender’s address to other values. However, the operation was blocked.

Still, How do the Attackers find a way around these measures?

The From address field’s domain is built of a sub-domain generated per a specific Salesforce account.

Guardio Labs says attackers exploit Salesforce’s “Email-to-Case” feature, which organizations turn incoming customer emails into actionable tickets for their support teams.

Took Advantage of Salesforce Feature

Guardio lab found that the attackers use the “Email-To-Case” flow — gaining full control of the username part of the generated salesforce email address.

Set this address as an “Organization-Wide Email Address,” which Salesforce’s Mass Mailer Gateway uses for outgoing email, and finally went through the verification process to confirm ownership of the domain.

Through this, an attacker could create any phishing scheme.

It will end up in the victim’s inbox, bypassing anti-spam and anti-phishing mechanisms, and even marked as Important by Google

Closure

As of the 28th of July, ’23, the vulnerability was resolved, and a fix was deployed affecting all Salesforce services and instances.

Meta engineers are still investigating why existing protections failed to stop the attacks.

“We’re doing a root cause analysis to see why our detections and mitigations for these sorts of attacks didn’t work” (Meta’s Engineering)

Keep yourself informed about the latest Cyber Security News by following us on GoogleNews, Linkedin, Twitter, and Facebook.

Sujatha

Sujatha is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under her belt in Cyber Security, she is covering Cyber Security News, technology and other news.