Salesforce email compromised for phishing attacks

Salesforce has patched a vulnerability in its email services that researchers discovered was being exploited in targeted phishing attacks against “high-value” Facebook accounts.

According to Guardio Labs, the attackers found a zero-day in Salesforce that allowed them to send phishing emails using Salesforce’s “domain and infrastructure”.

That gave the attackers a trusted domain as the origin of their messages.

“This gives bad actors not only volume but also access to the reputation of those gateways, usually getting their IPs and domains whitelisted in an organisation or even network-wide”, Guardio wrote in a blog post.

The bug, dubbed “PhishForce” by the researchers, existed in Salesforce’s “email-to-case” feature, in which a user can set up an automatic process to create new case tickets based on incoming customer emails.

The attackers set up an email-to-case flow to get control of a Salesforce-generated email address, and then created an inbound email address on salesforce.com.

Setting that email address as an 'organisation-wide' address let it be used for outbound emails.

In emails gathered by Guardio, phishing messages looked like they came from Meta Platforms via the case.salesforce.com domain.

The messages advised recipients of an account compromise, and offered a link to a “support” page which harvested user credentails.

The fake support page abused apps.facebook.com, using supposedly-deprecated features.

Guardio said it contacted Meta, which said it is investigating “why our detections and mitigations for these sorts of attacks didn’t work”.

Guardio disclosed its findings to Salesforce on June 28, and a fix was deployed to all Salesforce services and instances on July 28.