Researchers have discovered an email phishing campaign exploiting a zero-day vulnerability in Salesforce’s legitimate email services and SMTP servers.
The vulnerability allowed threat actors to craft targeted phishing emails, evading conventional detection methods by leveraging Salesforce’s domain and reputation and exploiting legacy quirks in Facebook’s web games platform.
Using phishing techniques, the threat actors successfully hid malicious email traffic within legitimate and trusted email gateway services, allowing them to capitalize on the companies’ volume and reputation.
- The phishing emails appeared authentic, mentioning the target’s real name and successfully bypassing traditional anti-spam and anti-phishing mechanisms, as they included legitimate links to Facebook and originated from the @salesforce.com email address.
- Threat actors exploited Salesforce’s “Email-To-Case” feature, which is designed to convert customer inbound emails into actional tickets, allowing them to receive verification emails and gain control of a genuine @salesforce.com email address for their malicious phishing endeavors.
Further analysis revealed that the domain of the ‘From’ address field is actually built of a sub-domain generated per a specific Salesforce account using the “case” magic word:
21gjt96n3uz6hgxytsmo0tf72hqyt6wg3ifrbql7e7k1xfd9df.8e-sefdea4.um9.case.salesforce.com
“We realized this address is actually user controlled under the “Email-To-Case” feature of Salesforce, used to automatically convert customer inbound emails into actionable tickets in the Salesforce system itself” continues the experts.
Following successfully identifying the scheme, researchers disclosed their findings to Salesforce and Meta, and both companies addressed the issue.
This research was documented by researchers from Guardio
