Keypoints
- Attackers created controllable Email‑to‑Case routing addresses under the case.salesforce.com namespace to receive inbound mail and surface its contents as Salesforce tickets.
- They registered those generated salesforce.com addresses as Organization‑Wide Email senders by making the Email‑to‑Case routing address an “acceptable” recipient, enabling the mass mailer to use the verified salesforce.com sender.
- Verification links sent by Salesforce arrived in the created tickets, allowing attackers to extract and click the link to complete verification and obtain valid sender status within Salesforce.
- Phishing emails sent from these verified @salesforce.com addresses contained links to phishing landing pages hosted on apps.facebook.com and multiple other domains, helping them evade conventional filters and appear legitimate.
- Guardio Labs disclosed the flaw to Salesforce and Meta; Salesforce implemented a fix (deployed 28 July 2023) that blocks use of salesforce.com addresses for organization‑wide senders unless the domain is approved.
- Meta removed abused game accounts and is investigating why platform detections did not catch the hosted phishing content; other phishing hosts (Firebase, simple hosting) were also used in the campaign.
MITRE Techniques
- [T1190] Exploit Public‑Facing Application – Exploited Salesforce’s Email‑to‑Case inbound routing to capture verification emails and their links: [‘the possibility to receive emails that are sent to specific @salesforce.com addresses and access their content’]
- [T1078] Valid Accounts – Created and verified an Organization‑Wide Email address to gain legitimate sending capability via Salesforce’s mass mailer: [‘Success! — We just got a salesforce.com email address verified’]
- [T1566.002] Phishing: Spearphishing Link – Sent targeted emails containing links to phishing pages (apps.facebook.com and other hosts) to harvest Facebook credentials: [‘The big blue button sends the target to the phishing page built to grab your Facebook account details.’]
- [T1036] Masquerading – Used display names and verified @salesforce.com sender addresses to appear authentic and bypass filters: [‘sent from a legit email address of @salesforce.com’]
- [T1199] Trusted Relationship – Abused the reputations of Salesforce mass‑mailing infrastructure and Facebook’s apps platform to evade detection and leverage trusted gateways: [‘hiding malicious email traffic within legitimate and trustworthy email gateway services.’]
Indicators of Compromise
- [Email senders/domains] malicious sender addresses used to send phishing – accviolation@21gjt96n3uz6hgxytsmo0tf72hqyt6wg3ifrbql7e7k1xfd9df.8e-sefdea4.um9.case.salesforce.com, *@1tawiicwxf2mrp7fd4repzfch96l9gtt1myvtiv2apknglhjwu.ho-18cikmaa.na232.le.salesforce.com, and 3 more similar salesforce.com routing addresses
- [IP address] SMTP source observed in headers – 161.71.6.233 (smtp10-lo2-sp1.mta.salesforce.com)
- [Phishing pages / hosts] landing pages used in campaign – https://apps[.]facebook[.]com/360554927295924, https://gulaqkogames[.]com
- [Phishing domains] additional phishing domains tied to campaign – fb-003applyonlines[.]web[.]app, qkemiskkd[.]top, and 40+ other web[.]app/.firebaseapp/.com domains listed in the article
Guardio Labs’ technical reproduction: an attacker configures an Email‑to‑Case inbound address (username@{account_hash}.case.salesforce.com) which they control, then adds the Salesforce address that sends verification messages to the “Acceptable Email Addresses” list. They create an Organization‑Wide Email using the generated case.salesforce.com address; Salesforce’s verification email is routed into the Email‑to‑Case ticketing flow where the full message — including the verification link — is accessible. By copying and following that verification link, the attacker completes verification and grants the Salesforce mass mailer permission to send messages that appear to originate from a verified @salesforce.com address.
Once verified, the attacker composes phishing emails via the Salesforce mass‑mail gateway or otherwise uses the infrastructure to send targeted messages containing links to phishing landing pages (notably apps.facebook.com canvases and multiple web[.]app/firebaseapp hosts). This combination of a legitimate sender reputation and links to trusted domains allowed the messages to bypass many anti‑phishing/anti‑spam defenses and reach users’ inboxes (sometimes marked as Important by providers like Google).
Mitigation steps taken and recommended: Salesforce patched the verification flow (deployed 28 July 2023) to validate the requested sender domain against an organization’s approved domains before initiating verification, preventing creation of organization‑wide senders on salesforce.com subdomains; platform owners should similarly restrict legacy app hosting and monitor inbound routing rules to ensure verification emails cannot be captured by user‑controlled application flows. Defenders should block listed phishing domains, monitor unusual Organization‑Wide Email creation, and treat unexpected salesforce.com senders with high suspicion.