Cyberthreats continue to evolve, often in unexpected ways. One recent example, dubbed “PhishForce,” involved the misuse of Salesforce’s email infrastructure in a phishing campaign targeting Facebook users. This incident highlights how attackers can manipulate trusted cloud services to bypass traditional security controls — and why shared responsibility in cloud security matters more than ever.
The “PhishForce” vulnerability was discovered in Salesforce’s email services and SMTP servers. It allowed hackers to evade Salesforce’s sender verification safeguards and exploit certain quirks in Facebook’s web games platform. This bypass allowed them to send a large volume of phishing emails, with the potential to compromise high-value Facebook accounts.
The exploitation of a reputable email gateway like Salesforce for malicious purposes highlights an emerging cloud security threat. It provides a clear route for malicious emails to bypass secure email gateways and filtering rules, thereby reaching the target’s inbox without interception.
The exploitation process
The attackers leveraged Salesforce’s “Email-to-Case” feature, a tool used by organizations to convert incoming customer emails into actionable support tickets. By creating a new “Email-to-Case” flow, the attackers gained control over a Salesforce-generated email address. They then established a new inbound email address on the “salesforce.com” domain.
From there, they designated that address as an “Organization-Wide Email Address,” which Salesforce’s Mass Mailer Gateway uses for outbound emails. Finally, they completed the verification process to confirm their ownership of the domain.
This creative manipulation of an otherwise benign service effectively circumvented Salesforce’s verification safeguards and bypassed any other existing email filters and anti-phishing systems
The impact: Phishing attacks on Facebook accounts
In real-world applications, phishing emails were observed to originate from “Meta Platforms” using the “case.salesforce.com” domain. Upon clicking the embedded button, the victim was redirected to a specially designed phishing page integrated into the Facebook gaming platform (“apps.facebook.com”). This integration enhanced the attack’s credibility, making it more challenging for the email recipients to discern the fraudulent nature of the page.
The aim of the phishing kit used in this campaign was to steal Facebook account credentials, and even featured mechanisms for bypassing two-factor authentication.
How Salesforce addressed the vulnerability
Once the vulnerability was brought to light, Salesforce of course took immediate action. They reproduced the problem and resolved it within a month, demonstrating their commitment to cloud security and user protection.
However, the abuse of “apps.facebook.com” represents a lingering issue. Theoretically, creating the game canvas used as a landing page should be impossible since Facebook retired this platform in July 2020. However, legacy accounts that had used the platform before its deprecation still have access, indicating a potential loophole for malicious actors.
Strengthening your Salesforce security
The PhishForce case shows how attackers can creatively misuse platform features — even without exploiting technical vulnerabilities. Securing Salesforce requires more than relying on native controls or email gateways alone.
WithSecure offers solutions designed specifically for these risks.
WithSecure Cloud Protection for Salesforce delivers:
- Real-time scanning of files, links, and attachments
- Detection of phishing methods like QR code abuse and link obfuscation
- Threat visibility across internal and external user activity
We also support organizations with cloud-focused consulting — helping reduce attack surface, harden platform configurations, and build detection and response strategies that match today’s threat landscape.