Tel Aviv-based cybersecurity company, Guardio, has released a report today revealing their research team’s discovery of a highly sophisticated email phishing campaign. This campaign exploited a zero-day vulnerability in Salesforce’s legitimate email services and SMTP servers. The exploit allowed threat actors to create targeted phishing emails that cleverly evaded conventional detection methods. By leveraging Salesforce’s domain and reputation, as well as taking advantage of legacy quirks in Facebook’s web games platform, the attackers were able to craft convincing emails that appeared to be from reputable companies.
Phishing attacks are a major concern for organizations, with 83% of companies experiencing such attacks every year, according to recent statistics. Mass-market emails are the most prevalent form of phishing, as they are cleverly disguised to appear as emails from trusted sources. Recipients are often tricked into taking harmful actions, such as downloading malware or clicking on malicious links, which can lead to the exposure of sensitive credentials for social and financial accounts.
In this particular campaign, the threat actors successfully concealed their malicious email traffic within legitimate and trusted email gateway services. This allowed them to capitalize on the volume and reputation of these companies to deceive recipients. Guardio Labs’ research team, in their detailed report, systematically dissects the campaign and describes their discovery of the zero-day vulnerability exploited by the threat actors. They also investigate how this vulnerability gave the actors an advantage over conventional email filtering methods.
The report highlights several key findings and methods employed by the attackers. One notable tactic used in the phishing emails was the inclusion of the recipient’s real name, which helped to bypass traditional anti-spam and anti-phishing mechanisms. Additionally, the emails contained legitimate links to Facebook and originated from the @salesforce.com email address, further boosting their credibility. The threat actors also took advantage of Salesforce’s “Email-To-Case” feature, which is designed to convert customer inbound emails into actionable tickets. By exploiting this feature, the attackers were able to receive verification emails and gain control of genuine @salesforce.com addresses for their malicious activities.
Once Guardio identified the phishing scheme, they promptly shared their findings with both Salesforce and Meta. Both companies acted swiftly to address the issue and worked closely with Guardio to resolve the vulnerability.
The Head of Guardio Labs and co-author of the report, Nati Tal, emphasized the importance of service providers implementing stringent measures to prevent abuse of legitimate services for malicious activities. Tal commended Salesforce and Meta for their prompt actions and ongoing efforts to enhance the security and resilience of their platforms. He also advised other service providers to follow suit and reinforce their data gateways and verification processes.
Salesforce, known for their commitment to trust and security, expressed their gratitude towards Guardio Labs for responsibly disclosing the issue. The company confirmed that their team had successfully resolved the vulnerability and assured customers that there is no evidence of any impact on their data. Salesforce encourages researchers to continue sharing their findings for swift resolution of any security concerns.
Guardio, founded in 2018 by cybersecurity industry veterans Amos Peled, Daniel Sirota, and Michael Weinstein, is an industry-leading cybersecurity company. Their mission is to ensure a safe digital experience for private users and small businesses through their intuitive browser extension and mobile apps. Since its launch, Guardio has gained over one and a half million users, underscoring the growing demand for robust cybersecurity solutions in today’s digital landscape.