An actively exploited zero-day vulnerability in Salesforce’s legitimate email services could have let threat actors craft targeted phishing emails under the Salesforce domain and infrastructure.
In a blog post Aug. 2, Guardio Labs said to make matters more complicated, the phishing campaign evaded conventional detection methods by chaining the Salesforce flaw with legacy bugs in Facebook’s web games platform.
Guardio disclosed these issues on June 28 and worked with both Salesforce and Meta to remediate the vulnerability.
Now that the fix has been applied, the Guardio researchers said the Salesforce system will now check the validity of the domain in use against the approved domains list before even initiating the address verification process, leaving it impossible to use an address from the Salesforce domain to send an email.
“The prevalence of phishing attacks and scams remains high, with bad actors continuously testing the limits of email distribution infrastructure and existing security measure,” wrote the Guardio researchers. “A concerning aspect of this ongoing battle is the exploitation of seemingly legitimate services, such as CRMs, marketing platforms, and cloud-based workspaces, to carry out malicious activities. This represents a significant security gap, where traditional methods often struggle to keep pace with the evolving and advanced techniques employed by threat actors.”
While we can consider the Salesforce case a unique attack, what’s particularly interesting is the way it took advantage of the vulnerability to host and send phishing emails from a legitimate service so it will mostly avoid detection by many email security vendors, explained Patrick Harr, chief executive officer at SlashNext. Harr said the cybercriminal was very aware that it was possible that the malicious links were detected in email, so keeping the primary link and original email legitimate the attack would only be detectable when the user clicks the second button and at this point they will trust the sender and browser and messaging apps are less protected, making the likelihood of success greater.
“This Salesforce Email Service vulnerability highlights just how effective a well-crafted attack can be when a widely-used platform like Salesforce has a vulnerability,” said Harr. “Zero-hour vulnerabilities will happen, which is why it’s important to have end-user protection that can detect and stop malicious URLs even when they are buried several layers within legitimate services. Browser and messaging app protection would have stopped the final stage of this attack where the user was compromised.”
Saeed Abbasi, manager of vulnerability and threat research at Qualys, added that the unusual aspects here are centered around the clever exploitation of known systems such as Salesforce and Facebook, chaining different vulnerabilities to construct a more effective attack.
“This hack illustrates the continuing evolution of phishing techniques,” said Abbasi. “The attack was not a simple email scam, but a complex intertwining of vulnerabilities across multiple platforms and services. Organizations must strengthen verification processes to secure the ownership of email addresses and domains. Continuous monitoring and analysis of email traffic are essential to detect misuse or abnormalities. Along with this, the review and update of legacy systems play a crucial role in maintaining a solid defense."
