Salesforce Zero-Day Exploited to Phish Facebook Credentials

The cyberattacks used the legitimate Salesforce.com domain by chaining the vulnerability to an abuse of Facebooks Web games platform, slipping past email protections.

Attackers were recently spotted exploiting a zero-day flaw in Salesforces email and SMTP services in a sophisticated
phishing
campaign aimed at stealing credentials from Facebook users.
Guardio researchers detected cyberattackers sending targeted phishing emails with @salesforce.com addresses using the legitimate
Salesforce infrastructure
. An investigation revealed that they were able to exploit a Salesforce email-validation flaw to hide behind the domains trusted status with users and
email protections
alike.
The sender of the emails claimed to be Meta Platforms, and the messages included legitimate links to the Facebook platform, further bolstering legitimacy.
Its a no-brainer why weve seen this email slipping through traditional anti-spam and anti-phishing mechanisms, Guardio Labs Oleg Zaytsey and Nati Tal
noted in the post
. It includes legit links (to facebook.com) and is sent from a legit email address of @salesforce.com, one of the worlds leading CRM providers.
The messages directed recipients via a button to a legitimate Facebook domain, apps.facebook.com, where content has been altered to inform them that theyd violated Facebooks terms of service. From there, another button led to a phishing page that collected personal details, including full name, account name, email address, phone number, and password.
Nonetheless, there is no evidence of impact to customer data,
Salesforce
told Guardio. The flaw, meanwhile, has been fixed.
On the Facebook side, attackers abused apps.facebook.com by creating a Web app game, which allows customized canvases. Facebook has discontinued the ability to create legacy game canvases, but existing games that were developed prior to the end of the feature were grandfathered in. It appears that malicious actors abused access to these accounts, the researchers said.
In doing this, they could insert malicious domain content directly into the Facebook platform — presenting a phishing kit designed specifically to steal Facebook accounts including two-factor authentication (2FA) mechanism bypasses, the researchers said, adding that Facebook parent Meta quickly removed the malevolent accounts and Web game.
“Were doing a root cause analysis to see why our detections and mitigations for these sorts of attacks didnt work, Metas engineering team told Guardio, according to the post.
The prevalence of
phishing attacks
and scams
remains high
, with attackers finding ways to put a new spin on, and increase the sophistication of, an old type of social engineering that still works. In fact, its often used as an initial point of entry into corporate networks to launch ransomware and other attacks.
One emerging and concerning aspect of recent campaigns is
an exploit
of seemingly legitimate services, such as CRMs like Salesforce, marketing platforms, and cloud-based workspaces to carry out malicious activities, the researchers noted: This represents a significant security gap, where traditional methods often struggle to keep pace with the evolving and advanced techniques employed by threat actors.
Service providers, then, need to step up their security game to prevent these platforms from being abused in phishing scams that exploit secure and reputable mail gateways. Steps to do this include bolstering verification processes to ensure the legitimacy of users, as well as conducting comprehensive ongoing activity analysis to promptly identify any misuse of the gateway, whether through excessive volume or through analysis of metadata such as mailing lists and content characteristics.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Salesforce Zero-Day Exploited to Phish Facebook Credentials