Salesforce Email Service Under Attack: Understanding the Zero-Day Phishing Campaign

Email Security: Zero-Day Exploited in Salesforce Phishing Campaign

By | August 3, 2023

Salesforce, the popular customer relationship management (CRM) platform, recently experienced a sophisticated phishing campaign that exploited a zero-day vulnerability in its email service. Security firm Guardio discovered that threat actors sent legitimate-looking emails to targeted users, tricking them into providing their Facebook account information.

The Phishing Campaign

The phishing campaign involved the attackers sending out emails that appeared to come from ‘Meta Platforms’ and were sent from an @salesforce.com address. These emails mentioned the targeted user’s real name and encouraged the users to click a button that directed them to a legitimate Facebook domain.

Upon reaching the Facebook domain, users were informed that they had violated Facebook’s terms of service and were redirected to a phishing page where they were instructed to provide their Facebook account information, including their name, account name, email address, phone number, and password.

The sophisticated aspect of the campaign was the fact that the phishing emails were able to bypass traditional security mechanisms due to the @salesforce.com address and the link that pointed to facebook.com. The attackers targeted the Email Gateway component in the Salesforce CRM, specifically the ‘Email-To-Case’ feature, which is designed to convert customer inbound emails into actionable tickets in Salesforce.

By abusing this feature, the attackers gained control over a legitimate Salesforce email address, which they used to send out the phishing emails. Furthermore, the phishing page was hosted on a legacy web games platform offered by Facebook until 2021, allowing the attackers to gain access to an account associated with such a game and using it to host their phishing page.

Salesforce Response and Impact

Guardio promptly notified Salesforce about the zero-day vulnerability on June 28, and within a month, a fix was rolled out to all impacted services and instances. This fix prevented the use of an address from the Salesforce domain to send emails. Salesforce has also stated that there is no evidence of any impact to customer data.

Meta’s engineering and security teams were also notified about the incident, and they removed the malicious accounts and the game associated with the phishing page. Furthermore, Salesforce is conducting a root cause analysis to understand why their existing security measures failed to prevent this abuse.

Implications and Advice

This phishing campaign highlights the continuous threat of email-based attacks and the importance of strong security measures to protect user information. While Salesforce promptly addressed the zero-day vulnerability and resolved the issue, it serves as a reminder that even widely used platforms are not immune to cyber attacks.

Users must remain vigilant and adopt a proactive approach to their own internet security. It is crucial to exercise caution when clicking on links or downloading attachments in emails, even if they appear to come from familiar and trusted sources. Additionally, implementing multi-factor authentication and regularly updating passwords can provide an additional layer of protection.

Organizations should also prioritize robust security practices, including regular vulnerability assessments, patch management, and user awareness training. By staying informed about the latest security threats and proactively implementing measures to mitigate risk, companies can better protect themselves and their customers from the evolving landscape of cyber threats.

Overall, this incident serves as a stark reminder of the crucial role that internet security plays in our daily lives. It serves as a call to action for individuals and organizations alike to remain vigilant and proactive in protecting their online presence.