A highly sophisticated phishing campaign that targets Facebook users has been discovered and is exploiting a zero day vulnerability in Salesforce’s email services. The attackers are creating convincing phishing emails that appear to be from Meta, but they are sent from email addresses with the “@salesforce.com” domain. The emails falsely claim that the recipient’s Facebook account is under investigation for impersonation and lead them to click on a link.

The phishing kit is being hosted as a game on the Facebook apps platform with the domain “apps.facebook[.]com,” making it difficult to detect with conventional anti-spam and anti-phishing methods. The attackers are skillfully bypassing validation steps by setting up an Email-to-Case inbound routing email address with the salesforce.com domain. This allows them to verify salesforce.com email addresses by clicking on a link in the request.

Salesforce has addressed the zero-day vulnerability as of July 28, 2023, following responsible disclosure on June 28, 2023. However, this incident highlights the ongoing challenge of phishing attacks using seemingly legitimate services to carry out malicious activities. It’s crucial for users to remain vigilant against such threats and to be cautious about clicking on links or providing sensitive information in response to unsolicited emails.