Since the start of 2024, Egress’ threat intelligence team has seen a 109% increase in Salesforce phishing attacks using what appears to be a legitimate email domain linked to Salesforce that impersonates Meta. Leveraging obfuscation techniques to mask a malicious URL, attackers are attempting to drive users to a very convincing spoof of a Meta ‘Partner Portal’ to harvest their credentials.
When Egress Defend first detected the attack, the malicious payload within the campaign had not been identified by antivirus scanners and URL/domain blocklisting services on Virustotal.
Quick Attack Summary
Vector and type: Email phishing
Techniques: Obfuscation, impersonation and social engineering
Payload: Phishing link that leads to a spoof website
Targets: Organizations in the UK and North America
Platform: Microsoft 365
Bypassed SEG and native security: Yes
To evade traditional perimeter defenses, the attacker uses several techniques to increase deliverability. This includes sending the email from a legitimate sender (Salesforce), impersonating a well-known company, using obfuscation techniques to mask a malicious payload that has not been recorded on any blocklists, and finally using a new template that hasn't been previously detected by Egress Defend.
What the attack looks like
In this phishing attack, the cybercriminal has sent the email from a legitimate Salesforce domain that, due to its widespread use, many users may either regularly receive emails from Salesforce or at least recognize the brand, lowering their suspicions about the attack. The body of the email itself impersonates the well-known company Meta, with a subject line advising the recipient to take ‘urgent action’ to ensure their Facebook account is not permanently closed.
The body of the initial email informs the recipient they have breached Meta’s service terms, using social engineering tactics to make the recipient feel guilty for “breaking the rules”, which combines with the potential panic that their account will be closed, encouraging them to act quickly by a specific date.
The attacker’s hope is that the recipient will click the link carrying the malicious payload which redirects to a spoof Meta Partner Portal. In this case, attackers have concealed a malicious URL with a ‘notifications.google’ redirect link, meaning that if the recipient were to hover over the ‘Facebook Help’ title link on the template, they would see a link from a well-trusted service like Google, potentially increasing confidence in the email’s legitimacy. Despite the spoof website domain having a registered domain age of only five days at the time of writing, it is still getting through most AV checks and blocklists. Two days after the attack was initially detected by Egress Defend, the attack bypassed them all.
Moreover, this email passed SPF, DKIM and DMARC authentication, making it more difficult for signature-based anti-phishing technologies (like secure email gateways) to detect it.
Meta impersonation attack sent from legitimate Salesforce domain, using social engineering to trick people into clicking on a phishing link, with anti-phishing banners added by Egress Defend.
The spoof Meta Partner Portal is used as a credential harvesting tool, designed to trick recipients into sharing their log-in details. Any details provided are sent in plain text to a command-and-control server linked to the malicious website, meaning the cybercriminal will obtain the victims’ email address and password. The credentials can then be used to compromise victims’ Facebook accounts and any other accounts that share the same log-in details.
Convincing spoof Meta ‘Partner Portal’ used to harvest credentials.
Legitimate Meta partner page that cybercriminals have replicated
However, the attack does not stop there! As a multi-step attack, once the victim has entered their credentials another redirect is performed, taking them to a sophisticated impersonation of the Meta website. Disguised as a webform to provide further assistance, the recipient must input their name, business name, email address, phone number, and any other information provided in the final field of the form, which the cybercriminal can use to perform follow up attacks.
If the recipient goes on to click ‘start chat’ button, it performs a final redirect to the legitimate Facebook website and the attack comes to an end.
Spoof Meta webform, used to harvest further credentials from the recipient.
Using a legitimate email domain
In an attempt to bypass security detection technologies, the attacker has used a legitimate domain linked to Salesforce to send phishing emails. The Egress Threat Intelligence teams suspects that, in this case, the attacker has compromised a business using Salesforce and has then been able to send the attack through legitimate Salesforce servers.
Salesforce is an extremely large platform with over 150,000 customers, meaning that organizations may receive numerous ‘email@example.com’ emails that employees could be familiar with. Therefore, users are less likely to treat the email with suspicion, nor will many perimeter or native defenses prompt them to do so. Organizations using Microsoft 365 may even have Salesforce on their safe sender lists meaning, regardless of the text body, the email would be considered as received from a ‘trusted sender’.
Obfuscation of malicious URL
Obfuscation is a common technique used by cybercriminals, enabling them to hide their attack from certain detection mechanisms. In this case, the cybercriminal has concealed a malicious payload using a ‘notification.google’ redirect link, which could be considered an interesting variation of a common obfuscation technique allowing cybercriminals to hijack legitimate hyperlinks. Usually, an attacker would either host a malicious payload on a legitimate site or use a legitimate website link to mask the ultimate destination. However, in this attack, the cybercriminal has used a legitimate Google service to redirect to a malicious site, highlighting the ever-evolving threat landscape. This is also detrimental to blocklists, as they will be unable to do a mass block of all ‘notification.google’ links, due to their legitimate use elsewhere.
Techniques to take advantage of the busy employee
Both the use of a legitimate domain and the obfuscation of the malicious URL are techniques designed to socially engineer employees who are either less tech-savvy or too busy to drill into the specifics of each email they receive.
It is very unlikely for an employee to consider the legitimacy of an email that comes from a trusted domain, especially if that domain is on any kind of ‘safe sender’ list. This is why, according to Egress’ latest Email Security Risk Report, 52% of Cybersecurity leaders said they are most stressed about phishing attacks sent from compromised accounts, closely followed by 42% who are stressed about account takeover within their organization. If a domain looks legitimate, it is extremely difficult for any employee to identify that the account may have been compromised - especially those who are over-stretched.
The use of obfuscation to conceal a malicious URL also preys on an employee with very little time. It is unlikely that the recipient would hover over the link in the text body and read it in its entirety. It is more plausible that the recipient would notice the hyperlink starts with ‘notification.google’ and be more willing to trust this because Google is a legitimate service.
Advanced detection for sophisticated threats
Detection of sophisticated phishing attacks involving several layers of advanced techniques to increase deliverability can be extremely hard to detect. Additionally, organizations cannot rely on people to detect these attacks. The obfuscation techniques used confirms that methods like hovering over a suspicious link are less effective, plus the sophisticated brand impersonation and legitimate trusted sender domain typically means people are much less suspicious.
In this case, any detection technology would need to recognize that the attack may be sent from a legitimate compromised account, that there is a concealed malicious URL, and the payload has not yet been recognized on any blocklist. Therefore, identification requires a holistic approach that cannot rely on one mechanism alone (like signature-based detection that only identifies known threats).
To identify and stop sophisticated inbound threats like the attack above, Egress Defend uses intelligent detection methods such as pre-generative AI, zero-trust models, and linguistic analysis to reach a comprehensive view of every email that lands in a user’s inbox. Seamlessly integrating with Microsoft 365, Defend is then able to provide employees with real-time warnings and advice, improving security awareness and reducing long-term risk.