Compromised Salesforce Infrastructure Exploited in Meta Support Scam

Businesses are being targeted with a Meta Support scam that arrives from a compromised Salesforce account. MailGuard's threat detection network has identified and intercepted a sophisticated phishing campaign that leverages compromised Salesforce infrastructure to target business users with convincing account security review notifications. The attack demonstrates the evolving tactics cybercriminals employ to exploit trusted platforms and bypass traditional email security measures, on this occassion delivering users to a fake Meta Support chat window.

The Threat: Compromised Infrastructure from a Trusted Source

Our security operations team has observed a concerning trend where attackers have compromised legitimate Salesforce customer accounts to distribute phishing emails. These messages appear authentic because they originate directly from Salesforce's own email infrastructure, making them particularly challenging to detect through conventional filtering methods.

The emails present themselves as urgent security notifications from "Daniel Hughes (Security Operations)" using the legitimate noreply(at)salesforce(dot)com address. The subject line "Ongoing review of your account to check for unusual activity" creates an immediate sense of urgency that compels recipients to act quickly without proper verification.

Anatomy of the Attack

This multi-stage phishing operation demonstrates sophisticated social engineering techniques designed to harvest sensitive business credentials and establish persistent access to target organisations.

Stage 1: The Initial Email

The attack begins with a professionally crafted HTML email that mirrors legitimate security notification formats. The message claims to detect "activity on your personal account that may not comply with our Community Standards" and lists concerning findings including:

• Content that may be inconsistent with policies
• Unusual or suspicious login behavior
• Posts or interactions flagged for further review

The email includes a prominent "Review Case" button directing recipients to what appears to be a legitimate support portal.

Stage 2: Credential Harvesting

Clicking the malicious link redirects users to a sophisticated phishing site hosted at accountscentre-livechat(dot)com that closely mimics Meta's business support interface. The fake portal requests:

• First and last name
• Business email address
• Ticket ID (provided in the initial email)

This information collection phase is designed to appear as standard identity verification while actually harvesting critical business contact information that can be used for subsequent targeted attacks.

Stage 3: Extended Engagement

After submitting initial details, victims are directed to a live chat interface that maintains the illusion of legitimate support interaction. This extended engagement serves multiple purposes:

• Provides additional time for data collection
• Creates a sense of authentic customer service interaction
• Potentially harvests additional sensitive information through conversational social engineering

Key Warning Signs

Security-conscious organisations should train their teams to recognise several critical indicators that distinguish this attack from legitimate communications:

• Generic Addressing: The emails are not personalized to specific recipients, using generic greetings rather than addressing individuals by name.
• Urgency Manipulation: The messages create artificial time pressure by suggesting immediate account restrictions and review requirements.
• Credential Requests: Legitimate security notifications from established platforms rarely require users to submit personal information through external portals.
• Domain Discrepancies: While the sending address appears legitimate, the landing page uses a suspicious domain that does not match official company URLs.

Business Impact and Risk Assessment

This attack vector represents a significant escalation in phishing sophistication, with several concerning implications for business security:

• Infrastructure Exploitation: By compromising legitimate Salesforce accounts, attackers bypass reputation-based filtering and leverage trusted sender relationships.
• Multi-Stage Persistence: The extended chat interface suggests attackers are investing significant resources in maintaining prolonged engagement with targets.
• Intelligence Gathering: The information harvested can be used for subsequent business email compromise (BEC) attacks, targeted spear phishing, or credential stuffing operations against corporate systems.
• Trust Erosion: Successful attacks of this nature can damage confidence in legitimate security communications, potentially causing organizations to ignore genuine security alerts.

MailGuard's Detection and Response

MailGuard's advanced threat detection algorithms identified this campaign through behavioural analysis and threat intelligence correlation, enabling our customers to remain protected even when traditional signature-based detection methods fail. Our "zero zero-day" technology recognized the attack patterns before widespread distribution, demonstrating the critical importance of AI-powered email security solutions.

The rapid identification and blocking of this threat prevented potentially significant security breaches across our client base, highlighting the value of proactive threat hunting and real-time protection capabilities.

Recommended Security Measures

Organisations should implement comprehensive email security protocols that extend beyond traditional filtering approaches:

• User Education: Regular security awareness training should emphasize verification procedures for unexpected security communications, regardless of apparent sender legitimacy.
• Multi-Factor Authentication: Implement robust MFA across all business systems to mitigate the impact of credential compromise.
• Incident Response Planning: Establish clear procedures for reporting and responding to suspected phishing attempts, ensuring rapid containment of potential breaches.
• Advanced Email Protection: Deploy AI-powered email security solutions capable of behavioral analysis and real-time threat detection rather than relying solely on signature-based filtering.

Stay Safe, Know the Signs

MailGuard advises all recipients of these emails to delete them immediately without clicking on any links. Responding or providing personal details can lead to identity theft, data breaches, and financial losses.

Avoid emails that:

• Aren’t addressed to you personally.
• Are unexpected and urge immediate action.
• Contain poor grammar or miss crucial identifying details.
• Direct you to a suspicious URL that isn’t associated with the genuine company.

Many businesses turn to MailGuard after a near miss or incident. Don't wait until it's too late. Reach out to our team for a confidential discussion by emailing expert@mailguard.com.au or calling 1300 30 44 30.

One Email Is All That It Takes   

All that it takes to devastate your business is a cleverly worded email message that can steal sensitive user credentials or disrupt your business operations. If scammers can trick one person in your company into clicking on a malicious link or attachment, they can gain access to your data or inflict damage on your business.     

For a few dollars per staff member per month, you can protect your business with MailGuard's specialist, 'zero zero-day' email security. Special Ops for when speed matters!  Our real-time 'zero zero-day', email threat detection amplifies our client’s intelligence, knowledge, security and defence. Talk to a solution consultant at MailGuard today about securing your company's inboxes.  

Stay up-to-date with MailGuard's latest blog posts by subscribing to free updates. Subscribe to weekly updates by clicking on the button below.