In Novel Attack Technique, Salesforce Email Service Used For Phishing Campaign

Slashdot reader storagedude writes: In a novel attack technique, Israeli security researchers discovered that cybercriminals were subscribing to Salesforce in order to use its email service to launch a phishing campaign and thus bypass corporate security defenses like whitelisting.

The researchers, from email security service provider Perception Point, said bad actors are sending phishing emails via the Salesforce email service by impersonating the Israel Postal Service in a campaign that has targeted multiple Israeli organizations.

In a blog post, security analysts Miri Slavoutsky and Shai Golderman wrote that this is the first time they had seen attackers abuse Salesforce services for malicious purposes.

“Mass Email gives users the option to send an individual, personalized email to each recipient, thus creating the perception of receiving a unique email, created especially for you,” Slavoutsky and Golderman wrote. “Spoofing attempts of Salesforce are nothing new to us. Attackers spoof emails from Salesforce for credential theft, is a typical example. In this case, the attackers actually purchased and abused the service; knowing that most companies use this service as part of their business, and therefore have it whitelisted and even allowed in their SPF records.”

Shlomi Levin, Perception Point’s co-founder and CTO, told eSecurity Planet that given how whitelisting a trusted source can result in security breaches, “it is essential to employ a zero-trust attitude combined with a strong filtering mechanism to any content that enters the organization no matter the source: email, collaboration tools or Instant Messaging.”

Stephen Banda, senior manager of security solutions at cybersecurity vendor Lookout, agreed with the researchers that it’s a new approach by malicious actors.

“The practice of legitimately signing up for an email service with the full intention of using it for malice is an innovative strategy,” Banda said. “This breach should be a warning to all service providers to conduct extensive due diligence into who is requesting access to their services so that this type of scam can be avoided in the future.”

“There are ways to detect spoofing but in this case the emails look authentic and are also coming from where they say they are coming from,” said Saumitra Das, CTO of cybersecurity firm Blue Hexagon. “This means that attackers have got through the first email firewall both from a threat intelligence signature perspective of blocking known bad sources and also in some sense the instinct of the user themselves to be suspicious of what something is. It is common for attacks to get through email security solutions, but then well-trained or savvy users are the next line of defense. This [use of a legitimate email service] increases the chances of those users also clicking on links or downloading attachments.”