{
	"id": "1b73d997-6e4d-43eb-96ff-f0514c7efaa9",
	"created_at": "2026-04-06T00:13:27.774217Z",
	"updated_at": "2026-04-10T03:21:04.210419Z",
	"deleted_at": null,
	"sha1_hash": "e3a866d9e3cf38da962d148cad7304bbddcb7a6d",
	"title": "Hackers exploited Salesforce zero-day in Facebook phishing attack",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2232392,
	"plain_text": "Hackers exploited Salesforce zero-day in Facebook phishing attack\r\nBy Bill Toulas\r\nPublished: 2023-08-02 · Archived: 2026-04-05 18:00:37 UTC\r\nHackers exploited a zero-day vulnerability in Salesforce's email services and SMTP servers to launch a sophisticated\r\nphishing campaign targeting valuable Facebook accounts.\r\nThe attackers chained a flaw dubbed \"PhishForce,\" to bypass Salesforce's sender verification safeguards and quirks in\r\nFacebook's web games platform to mass-send phishing emails.\r\nThe benefit of using a reputable email gateway like Salesforce to distribute phishing emails is the evasion of secure email\r\ngateways and filtering rules, ensuring that the malicious emails reach the target's inbox.\r\nhttps://www.bleepingcomputer.com/news/security/hackers-exploited-salesforce-zero-day-in-facebook-phishing-attack/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/hackers-exploited-salesforce-zero-day-in-facebook-phishing-attack/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nThe campaign was discovered by Guardio Labs analysts Oleg Zaytsev and Nati Tal, who reported the unknown vulnerability\r\nto Salesforce and helped them with the remediation process.\r\nHowever, the discovered issues in Facebook's game platform are outstanding, as Meta's engineers are still trying to figure\r\nout why the existing mitigations failed to stop the attacks.\r\nPhishForce abused in attacks\r\nThe Salesforce CRM allows customers to send emails as their own brand using custom domains that the platform must first\r\nverify. This protects customers from sending out emails through Salesforce as other brands that they do not have permission\r\nto impersonate.\r\nHowever, Guardio Labs says the attackers figured out a way to exploit Salesforce's \"Email-to-Case\" feature, which\r\norganizations use for converting incoming customer emails to actionable tickets for their support teams.\r\nSpecifically, the attackers set up a new \"Email-to-Case\" flow to gain control of a Salesforce-generated email address, then\r\ncreated a new inbound email address on the \"salesforce.com\" domain.\r\nGenerated Salesforce address (Guardio Labs)\r\nNext, they set that address as an \"Organization-Wide Email Address,\" which Salesforce's Mass Mailer Gateway uses for\r\noutbound emails, and finally went through the verification process to confirm ownership of the domain.\r\nhttps://www.bleepingcomputer.com/news/security/hackers-exploited-salesforce-zero-day-in-facebook-phishing-attack/\r\nPage 3 of 6\n\nClicking on the verification link to confirm ownership (Guardio Labs)\r\nThis process allowed them to use their Salesforce email address to send out messages to anyone, bypassing both Salesforce's\r\nverification protections and any other email filters and anti-phishing systems in place.\r\nIndeed, this is what Guardio Labs observed in the wild, with phishing emails that supposedly came from \"Meta Platforms\"\r\nusing the \"case.salesforce.com\" domain.\r\nPhishing email sampled from a real attack (Guardio Labs)\r\nClicking on the embedded button takes the victim to a phishing page hosted and displayed as part of the Facebook gaming\r\nplatform (\"apps.facebook.com\"), which adds further legitimacy to the attack and makes it even harder for the email\r\nrecipients to realize the fraud.\r\nhttps://www.bleepingcomputer.com/news/security/hackers-exploited-salesforce-zero-day-in-facebook-phishing-attack/\r\nPage 4 of 6\n\nPhishing page hosted on the Facebook gaming platform (Guardio Labs)\r\nThe goal of the phishing kit employed in this campaign is to steal Facebook account credentials, even featuring two-factor\r\nauthentication bypassing mechanisms.\r\nThe observed attack chain (Guardio Labs)\r\nMeta still investigating\r\nAfter confirming the issues by replicating the creation of a Salesforce-branded address capable of disseminating phishing\r\nemails, Guardio Labs notified the vendor of their discovery on June 28, 2023\r\nSalesforce reproduced the vulnerability and resolved the problem exactly a month later, on July 28, 2023.\r\nRegarding the abuse of \"apps.facebook.com,\" Guardio Labs notes that it should be impossible for the attackers to create the\r\ngame canvass used as a landing page since Facebook retired this platform in July 2020.\r\nHowever, legacy accounts that used the platform before its deprecation still have access, and threat actors might be paying a\r\npremium for those accounts on the dark web.\r\nhttps://www.bleepingcomputer.com/news/security/hackers-exploited-salesforce-zero-day-in-facebook-phishing-attack/\r\nPage 5 of 6\n\nMeta removed the violating pages upon Guardio Labs' report; however, its engineers are still investigating why existing\r\nprotections failed to stop the attacks.\r\nAs phishing actors continue to explore every potential abuse opportunity on legitimate service providers, novel security gaps\r\nconstantly threaten to expose users to severe risks.\r\nThus, it is essential not to rely solely on email protection solutions, and also scrutinize every email that lands on your inbox,\r\nlook for inconsistencies, and double-check all claims made in those messages.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/hackers-exploited-salesforce-zero-day-in-facebook-phishing-attack/\r\nhttps://www.bleepingcomputer.com/news/security/hackers-exploited-salesforce-zero-day-in-facebook-phishing-attack/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/hackers-exploited-salesforce-zero-day-in-facebook-phishing-attack/"
	],
	"report_names": [
		"hackers-exploited-salesforce-zero-day-in-facebook-phishing-attack"
	],
	"threat_actors": [],
	"ts_created_at": 1775434407,
	"ts_updated_at": 1775791264,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e3a866d9e3cf38da962d148cad7304bbddcb7a6d.pdf",
		"text": "https://archive.orkl.eu/e3a866d9e3cf38da962d148cad7304bbddcb7a6d.txt",
		"img": "https://archive.orkl.eu/e3a866d9e3cf38da962d148cad7304bbddcb7a6d.jpg"
	}
}