Tel Aviv, Israel – August 2, 2023 – Guardio, a cybersecurity company leveraging cutting-edge machine learning and proprietary algorithms to deliver top-tier security solutions for both consumers and SMBs, is releasing today a report detailing their research team’s discovery of a sophisticated email phishing campaign exploiting a zero-day vulnerability in Salesforce’s legitimate email services and SMTP servers. The vulnerability allowed threat actors to craft targeted phishing emails, cleverly evading conventional detection methods by leveraging Salesforce’s domain and reputation and exploiting legacy quirks in Facebook’s web games platform.
83% of organizations face phishing attacks every year, and mass-market emails are the most prevalent form of phishing, cleverly disguised as emails from reputable companies, through which recipients are deceived into taking harmful actions like downloading malware or clicking on malicious links which expose credentials to social and financial accounts.
Using sophisticated phishing techniques, the threat actors successfully hid malicious email traffic within legitimate and trusted email gateway services, allowing them to capitalize on the companies’ volume and reputation. In the report, Guardio Labs' research team dissects the campaign, describes their discovery of the zero-day vulnerability exploited by threat actors, and investigates how it provided threat actors with an advantage over conventional email filtering methods.
The latest report details discoveries, methods of attack, how the verification system was overpowered by another Salesforce System, and much more. The release includes details such as:
- The phishing emails appeared authentic, mentioning the target’s real name and successfully bypassing traditional anti-spam and anti-phishing mechanisms, as they included legitimate links to Facebook and originated from the @salesforce.com email address.
- Threat actors exploited Salesforce’s “Email-To-Case” feature, which is designed to convert customer inbound emails into actional tickets, allowing them to receive verification emails and gain control of a genuine @salesforce.com email address for their malicious phishing endeavors.
Following the successful identification of the scheme, Guardio disclosed their findings to Salesforce and Meta, and both companies responded promptly to address the issue and worked with Guardio to close the issue.
“This incident with Salesforce highlights the importance for service providers to exercise additional caution and implement stringent measures to prevent abuse of legitimate services for malicious activities,” said Nati Tal, Head of Guardio Labs and co-author of their latest report. “We commend Salesforce and Meta for their prompt actions and ongoing efforts to bolster the security and resilience of their platforms. We advise other service providers to follow suit, securing data gateways and bolstering verification processes.”
"At Salesforce, trust is our #1 value, and security is our top priority. We value the contributions of the security research community to help enhance our security efforts, and we are grateful to Guardio Labs for their responsible disclosure of this issue. Our team has resolved the issue, and at this time there is no evidence of impact to customer data. We continually encourage researchers to share their findings with our team at [email protected]."
Guardio is an industry-leading cybersecurity company ensuring a safe digital experience for private users and small businesses via its intuitive, easy-to-use browser extension and mobile apps. Founded in 2018 by cybersecurity industry veterans Amos Peled, Daniel Sirota, and Michael Weinstein, the company’s mission is to create a secure digital world for everyone, and it has gained over one and a half million users since its launch.