Hackers leverage Salesforce account to send fake invoices in new phishing attack

• The hackers compromised the target company’s Salesforce account to utilize Email Studio and send fake invoices to customers’ emails.
• These fake invoices replicated the patterns of legitimate invoices and included several layers of Office 365 which made it difficult to be detected by email gateways.

Salesforce’s cloud platform is used by over 150,000 organizations around the globe. The cloud software enables a host of capabilities for customer management, including the ability to generate invoices. However, hackers have found a new way to launch phishing attacks by leveraging compromised Salesforce account.

What’s the matter?

Researchers from Avanan recently uncovered a phishing attack that was using Salesforce’s invoice-sending functionality against a Fortune 500 company. The hackers had compromised the company’s Salesforce account to utilize Email Studio and send fake invoices to customers’ emails.

These fake invoices replicated the patterns of legitimate invoices and included several layers of Office 365 which made it difficult to be detected by email gateways.

How does the attack work?

Step 1: Hackers compromise an organization’s Salesforce account and public website.

Step 2: Malicious code is injected into the partner’s website to generate two public-facing URLs.

Step 3: Within the compromised Salesforce account, the hackers access Email Studio, draft emails containing the URLs and send them to contacts stored in Salesforce.

Step 4: The victim organization receives the phishing emails sent by hackers.

Step 5: Once the victim clicks on the URL, it redirects them to a page with malware.

Avanan revealed that around 1,056 people in the company had received the email.

“This was all the contacts they had in the company. This is also what allowed Avanan to flag the sender. Had they only sent it to the relevant people in the organization this would have been even harder to track.aa,” added researchers.

What is the purpose of the attack?

The main purpose of the attack wad to install a trojan malware on the endpoints. Researchers believe that the same scam could apply to fake invoices or credential harvesting pages.

How to stay safe?

• Organizations should enable MFA on CRM in order to prevent falling victim such emails.
• Add an advanced security layer to detect spoofed emails.
• Train employees on the concept of Zero-trust to manage the risks of digital business and strengthen security strategy.