New Phishing Campaign Exploits Meta Business Suite to Target SMBs Across the U.S. and Beyond
Summary:
Email security researchers at Check Point identified an ostensibly new phishing campaign that distributed over 40,000 malicious emails to more than 5,000 customers across the U.S., Europe, Canada, and Australia, likely targeting industries reliant on Facebook advertising (e.g., automotive, finance, hospitality). The campaign was effective due to the adversary’s exploitation of Facebook's legitimate Business Invitation feature, which they used to create fake business pages that mimicked official branding. Crucially, the phishing emails were sent from the authentic and trusted facebookmail[.]com domain, allowing them to bypass traditional email security filters and appear extremely convincing to recipients. The emails utilize urgent subject lines like "Action Required: You’re Invited to Join the Free Advertising Credit Program" to goad immediate action. Victims who clicked the malicious links were redirected to phishing websites hosted on domains like vercel[.]app designed for credential theft. The primary targets were SMBs whose employees are accustomed to receiving genuine "Meta Business" notifications.
Security Officer Comments:
The campaign highlights a growing trend of cybercriminals finding unique methods for weaponizing legitimate platform features with the goal of exploiting trust and circumventing security controls. The core innovation is the shift from spoofing to weaponizing a legitimate platform feature, which effectively nullifies the basic domain reputation and sender validation features. The adversary making the attack more indistinguishable from genuine correspondence from a trusted, widely-used platform underscores that organizations are more likely to find success when implementing multiple layers of email security because of cybercriminals’ continued efforts to find new phishing techniques. Phishing continues to be the most frequently used initial access method, and awareness training should be updated to reflect the imperative extra cautiousness from employees, especially emails regarding the products and services the business is most dependent on. The lingering questions on the platform’s responsibility to protect its users from this feature abuse are becoming increasingly critical to answer. Checkpoint researchers replicated the observed technique to confirm how simple it can be to manipulate the Business Invitation feature.
Suggested Corrections:
While it’s critical for platforms like Facebook to address these security gaps in a timely manner, organizations and individuals must also take proactive steps to reduce their risk.
- Educate users: Training should go beyond spotting suspicious domains. Employees and users must learn to question unusual requests, even if they come from trusted sources.
- Implement advanced detection: Security solutions should incorporate behavioral analysis and AI-driven detection that can flag suspicious activity even when messages appear legitimate.
- Enable multi-factor authentication (MFA): Stolen credentials remain the primary goal of phishing campaigns. MFA ensures that even if credentials are compromised, attackers can’t easily gain access.
- Verify the sender and URL. Always check for domain mismatches (e.g., Meta branding with non-Meta links).
- Avoid clicking links in unsolicited emails. Instead, access your Meta Business account directly through the official platform.