Sophisticated Phishing Exploits Zero-Day Salesforce Vulnerability

Written by

A sophisticated email phishing campaign has been discovered by security researchers, exploiting a zero-day vulnerability in Salesforce’s email services and SMTP servers. 

Guardio Labs, a cybersecurity firm, detected the campaign and detailed its findings in a technical blog post on Thursday.

The threat actors behind the campaign created targeted phishing emails, evading conventional detection methods by using the Salesforce domain.

To add to the deception, the emails were designed to appear as if sent from “Meta Platforms,” leading recipients to a phishing page hosted on Facebook’s web games platform.

By leveraging trusted email gateway services, the attackers managed to bypass filtering rules, making the emails appear genuine with “@salesforce.com” addresses and personalizing them with recipients’ real names.

“Using email gateways that have been previously whitelisted and trusted by anti-spam and anti-phishing filters, bad actors are able to deliver phishing attacks to potential victims with a much higher success rate,” explained Erich Kron, security awareness advocate at KnowBe4.

“This sort of attack from well-known and documented sources can bypass many of the protections organizations use, such as SPF records, DKIM, and DMARC to weed out the malicious messages.”

Read more on similar attacks: BEC Volumes Double on Phishing Surge

Guardio Labs’ research also revealed that the attackers manipulated Salesforce’s Email Gateway feature, exploiting it to send emails from seemingly legitimate accounts by creating user-controlled sub-domains through the “Email-To-Case” feature, effectively bypassing verification processes.

According to Saeed Abbasi, manager of vulnerability research at Qualys, this attack underscores the critical need for organizations to fortify their verification processes to safeguard the ownership of email addresses and domains.

“Continuous monitoring and analysis of email traffic are essential to detect misuse or abnormalities,” Abbasi said. “Along with this, the review and update of legacy systems play a crucial role in maintaining a solid defense. Traditional anti-phishing methods must be supplemented with advanced technologies, primarily when dealing with 0-day vulnerabilities.”

Upon discovering the vulnerability, Guardio Labs promptly notified both Salesforce and Meta. Both companies responded swiftly, and as of July 28 2023, the vulnerability has been fixed across all Salesforce services.

“We commend Salesforce and Meta for their prompt actions and ongoing efforts to bolster the security and resilience of their platforms. We advise other service providers to follow suit, securing data gateways and bolstering verification processes.”

Editorial image credit: Tattoboo / Shutterstock.com

What’s hot on Infosecurity Magazine?