Skip to content

Hit enter to search or ESC to close

Cybercriminals are always looking for their next exploit, and attackers recently found the golden chalice of exploits: a zero-day. This zero-day, however, was not a software flaw but a vulnerability in the flow of emails through the Salesforce CRM system. No matter, the flaw was previously unknown by Salesforce, and so this zero-day vulnerability was used to carry out a sophisticated phishing campaign. Further still, the attackers exploited features of a legacy game platform from Meta to trick users into handing over their Facebook login credentials. The attack is clever and uses all the tricks of the phishing trade. Here is a look at what happened in the Salesforce phishing attack and how your organization can ensure you do not become a victim of this attack or any other phishing campaigns.

Why Target Salesforce?

Salesforce is indeed a force to contend with. Salesforce is the world's number one CRM platform, with almost 20% of the market share; 150,000 companies use the platform. The company has grown by over 50% in the last 20 years. In other words, Salesforce is a popular platform, and anything popular will attract cybercriminals like flies to honey.

Salesforce is used by many of the top 500 companies in the world, but all-sized companies use the platform. This makes Salesforce a trusted brand, and anyone receiving an email that uses a salesforce.com domain will typically trust the email. It is this trust that the cybercriminals wish to exploit. 

How Did the Salesforce Phishing Campaign Work?

The most successful phishing campaigns manipulate elements of human behavior, including conformism, fear, and a sense of urgency. There are several ways that scammers achieve this, but they all work by creating and then abusing trust. In the case of the Salesforce phishing campaign, the abuse of trust looked like this:

Phase One: Legitimizing the Phishing Email Using "PhishForce" 

The fundamental trick in the Salesforce phishing campaign was to generate phishing emails that used a legitimate Salesforce email domain @salesforce.com - this attack technique has been called "PhishForce." To achieve this, the attackers exploited a feature in the Salesforce CRM email gateway that allows Salesforce clients to brand their Salesforce CRM-managed emails with custom domains that the platform must verify. 

The attack is initiated via a feature known as 'Email-To-Case,' used by organizations for converting incoming customer emails to actionable tickets for support teams. Using this flow, the attackers gained control of a Salesforce-generated email address, which was then used to create a new inbound email address on the "salesforce.com" domain. The next step was to create an "Organization-Wide Email Address," used by Salesforce's Mass Mailer Gateway for outbound emails.

When the attacker received verification emails as part of the Email-to-Case flow, the attackers processed the verification request to take control of that domain. The attackers could then create phishing emails using the salesforce.com domain and send them to targets.

Salesforce has protective measures to prevent this type of abuse, but the scammers found a way around this using the "Email-to-Case" feature; this was a zero-day vulnerability as Salesforce was unaware that this process flaw existed. 

The attackers were cunning in identifying the Email-to-Case feature, which attackers then abused as part of a complex attack chain, the verification email step being the point of manipulation. Then, after control of the domain, the email content and elements of the email, such as the sender's username, were changed to make the phishing email look like an actual email from a legitimate company with a legitimate domain. 

Importantly, having a legitimate domain meant the phishing emails could bypass conventional email filters, as the domain was allowed.

Phase Two: Meta Manipulation

The Salesforce phishing emails looked like they had been sent by "Meta Platforms" (aka, Facebook). The phishing email included a link to a Facebook games platform; this platform was deprecated in 2021. However, it was still available to support games developed before that date. 

The phishing email content used typical behavior manipulation tactics such as urgency and concern over security. The email warned the recipient that their Facebook account would be suspended due to suspicious activity unless they logged in and disputed the findings. 

If the email recipient clicked the link, they would be taken to a "Meta Support" page hosted on the deprecated Meta game platform; it is believed that the attackers hijacked an account associated with an old game. Any data and login credentials entered into the fake Meta support page would go straight to the attackers.

The stolen credentials may have been Facebook login credentials, but around 44% of employees reuse login credentials for both personal and professional applications.

How Can Zero-Day Phishing Attacks Be Prevented?

While the attackers didn't specifically target Salesforce users, this exploit will undoubtedly have sent ripples across the 150,000 companies that use Salesforce. And even though the Email-to-Case flaw was resolved on the 28th of July 2023, these kinds of exploits will continue. Hackers are clever and should never be underestimated. It would help to use security measures that deliver layers of integrated protection to prevent your organization from being attacked by clever behavior manipulations and zero-day vulnerabilities. There are two foundational layers to consider, comprised of the following:

Security Awareness Training

The foundation of phishing prevention is security awareness training for employees and other non-employees, such as contractors. Phishing depends on being able to manipulate users and trick them into thinking an email or other message is authentic. Security awareness training from SafeTitan is behavior-driven, focusing on adapting the behavior of individual employees to improve security awareness and responsiveness to phishing. SafeTitan provides gamified training sessions with real-time intervention to improve learning outcomes. SafeTitan also provides a phishing simulation platform that effectively changes security behavior to create a positive security stance individually.

Multiple Layers of Phishing Prevention

In addition to security awareness training, sophisticated threats such as the Salesforce zero-day phishing campaign must be tackled using multiple layers of security to ensure the detection and prevention of any phishing attempts, no matter how cleverly disguised. SpamTitan Plus, WebTitan and ArcTitan are behind TitanHQ’s Triple Threat Defense system TitanSecure

Using advanced AI-driven threat intelligence, these award-winning solutions protect your end users from phishing, malware, and cyber-attacks. TitanSecure is an integrated platform that provides all-in-one advanced Email Security, Network and DNS Protection, Data Loss Prevention, Email, and Teams Archiving.

Contact TitanHQ to learn how our solutions can prevent even the most manipulative zero-day phishing attacks.

Talk to our Team today

Talk to our Team today