Salesforce-based phishing attacks surge 109% since the start of 2024

Salesforce logo above 'the future of productivity' slogan
(Image credit: Getty Images)

Phishing attacks making use of fake Salesforce domains have increased by 109% since the start of 2024, according to new research.

The new tactic involves the impersonation of a legitimate Salesforce domain in order to send victims to a spoofed version of a Meta partner portal, which is able to steal user credentials.

The malicious payload used by the threat actors had not been identified on any of VirustTotal’s antivirus scanners and URL/blocklisting services, according to researchers at security software company Egress.

Threat actors were able to impersonate an authentic Salesforce domain by compromising a business using Salesforce products and then launching the attack through the legitimate Salesforce servers, analysis from Egress’ threat intelligence team suggests.

The attack takes advantage of the popularity of Salesforce’s solutions, used by over 150,000 organizations around the world. Salesforce domains are likely to be included on a ‘trusted sender’ list at many organizations, and thus regardless of the message’s content it would be guaranteed to reach the recipient’s inbox.

The attack also involves the obfuscation of a malicious URL by using the legitimate Google notification service to redirect users to a malicious site.

Unlike other popular approaches used in phishing campaigns, such as using a legitimate site to host a malicious payload or using a legitimate link to disguise the final destination, this attack uses a legitimate service to redirect users to the malicious site.

Employees quickly inspecting the hyperlink may be deceived upon reading ‘’ at the start of the URL. These links cannot be mass blocked by blocklists due to their legitimate use elsewhere.

Signature-based anti-phishing technologies are also unable to identify the emails as malicious, as Egress found the email passed all three of the SPF, DKIM, and DMARC authentication methods.

Screenshot of the spoofed Meta partner portal

Spoofed Meta partner portal (Image credit: Egress Software Technologies)

Once redirected to the spoofed Meta partner page, any information entered into the log in portal are sent as plain text to a command-and-control server linked to the malicious URL.

Screenshot of the legitimate partner page that the phishing attack imitates

Legitimate Meta partner page (Image credit: Egress Software Technologies)

After entering their credentials, users are redirected again to another fake Meta site disguised as a webform intended to provide extra support for users. This form includes fields for the user’s name, business, email address, and phone number, information the attackers can use to refine their instigate and leverage follow-up attacks.

Screenshot displaying the fake Meta webform with fields for name, email, business and phone number

Fake meta webform (Image credit: Egress Software Technologies)

Compromising business emails a happy hunting ground for hackers

Phishing attacks targeting businesses are quickly becoming the most profitable form of attack method available to threat actors, with the costs associated with business email compromise attacks exceeding ransomware losses in 2022.


State of Salesforce 2023-24

(Image credit: IBM)

Create value from your Salesforce investment


Egress’ 2024 report on email security found 94% of organizations fell victim to phishing attacks, with 79% of account takeover attacks starting with a phishing email.

The widespread adoption of AI among threat actors is also a key factor in improving the efficacy and efficiency of phishing attacks, making them more realistic and faster to produce.

According to the report, the offensive use of AI is front of mind for cyber security leaders, over 60% of whom said the use of deep fakes and AI chatbots within attacks kept them up at night.

AI does have defensive potential also, however, with businesses exploring using generative AI to learn the writing style of an organization’s staff, which is then able to detect suspicious activity including incongruous text in an email.

Solomon Klappholz
Staff Writer

Solomon Klappholz is a Staff Writer at ITPro. He has experience writing about the technologies that facilitate industrial manufacturing which led to him developing a particular interest in IT regulation, industrial infrastructure applications, and machine learning.