Cybersecurity company Guardio has released a report detailing its research team's discovery of a sophisticated email phishing campaign exploiting a zero-day vulnerability in Salesforce's legitimate email services and SMTP servers.
The vulnerability allowed threat actors to craft targeted phishing emails, cleverly evading conventional detection methods by leveraging Salesforce's domain and reputation and exploiting legacy quirks in Facebook's web games platform.
Eighty per cent of organisations face phishing attacks every year, and mass-market emails are the most prevalent form of phishing, cleverly disguised as emails from reputable companies, through which recipients are deceived into taking harmful actions like downloading malware or clicking on malicious links which expose credentials to social and financial accounts.
According to Guardio, using sophisticated phishing techniques, the threat actors successfully hid malicious email traffic within legitimate and trusted email gateway services, allowing them to capitalise on the companies volume and reputation. In the report, Guardio Labs research team dissects the campaign, describes their discovery of the zero-day vulnerability exploited by threat actors, and investigates how it provided threat actors with an advantage over conventional email filtering methods.
The latest report details discoveries, methods of attack, how the verification system was overpowered by another Salesforce System, and much more.
Guardio says the phishing emails appeared authentic, mentioning the targets real name and successfully bypassing traditional anti-spam and anti-phishing mechanisms, as they included legitimate links to Facebook and originated from the @salesforce.com email address.
Threat actors exploited Salesforce's Email-To-Case feature, which is designed to convert customer inbound emails into actional tickets, allowing them to receive verification emails and gain control of a genuine @salesforce.com email address for their malicious phishing endeavours.
Following the successful identification of the scheme, Guardio disclosed their findings to Salesforce and Meta, and both companies responded promptly to address the issue and worked with Guardio to close the issue.
"This incident with Salesforce highlights the importance for service providers to exercise additional caution and implement stringent measures to prevent abuse of legitimate services for malicious activities," says Nati Tal, Head of Guardio Labs and co-author of their latest report.
"We commend Salesforce and Meta for their prompt actions and ongoing efforts to bolster the security and resilience of their platforms," Tal says.
"We advise other service providers to follow suit, securing data gateways and bolstering verification processes."
"At Salesforce, trust is our #1 value, and security is our top priority," Saleforce says.
"We value the contributions of the security research community to help enhance our security efforts, and we are grateful to Guardio Labs for their responsible disclosure of this issue.
"Our team has resolved the issue, and at this time there is no evidence of impact to customer data."