{"id":209,"date":"2024-11-13T17:10:37","date_gmt":"2024-11-13T22:10:37","guid":{"rendered":"https:\/\/freshphish.info\/?p=209"},"modified":"2025-03-13T09:58:07","modified_gmt":"2025-03-13T14:58:07","slug":"meta-phish-sent-through-salesforce","status":"publish","type":"post","link":"https:\/\/freshphish.info\/?p=209","title":{"rendered":"Meta Phish Sent Through Salesforce"},"content":{"rendered":"\n

Here’s a phish recently seen in the wild. <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

The email claims it is from Meta, owner of Facebook, warning about restrictions placed on the recipient’s Meta account due to recent activity seen on the account, which is seen as an “exploit” that could impact internal functions within the “Meta Business Suite”, used to manage a business’ Facebook, Instagram and WhatsApp for Business accounts. It claims that if an appeal is not filed within one day, the restrictions they have placed on the account could become permanent.<\/p>\n\n\n\n

Looking at the headers of the email, it shows that the email was definitively sent from Salesforce servers.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

The link in the email goes to a page on “salesforce-sites[.]com”, which redirects to a page on “metasystemschat[.]com”. The link existing on salesforce-sites[.]com tells me someone’s Salesforce account has been compromised and used to stage the phish and send the email.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

The metasystemschat[.]com is a recently registered fraudulent lookalike domain, hosting what appears to be a Meta Business Support page. It asks for information about the account in question to open a chat. I entered completely bogus information and was not told I had entered invalid information.<\/p>\n\n\n\n

–Matt<\/p>\n","protected":false},"excerpt":{"rendered":"

Here’s a phish recently seen in the wild. The email claims it is from Meta, owner of Facebook, warning about<\/p>\n

Continue readingMeta Phish Sent Through Salesforce<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[12],"tags":[14,55,4,15],"class_list":["post-209","post","type-post","status-publish","format-standard","hentry","category-phish","tag-facebook","tag-meta","tag-phish","tag-salesforce"],"aioseo_notices":[],"aioseo_head":"\n\t\t\n\t\n\t\n\t\n\t\n\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t