If you manage Facebook advertising for a small or medium-sized business, open your inbox with suspicion, because attackers have been sending highly convincing invites that appear to come straight from Meta.
Researchers at Check Point found that the attackers used Facebook Business pages and the platform’s invitation feature to send messages that appear to come from the real @facebookmail.com domain, making them much harder to spot with automated filters and human instincts alike.[1]
The campaign is large in volume and blunt in scope, with Check Point telemetry showing about 40,000 phishing emails sent to roughly 5,000 customers worldwide, including the United States, Europe, Canada, and Australia.
Most of the messages followed a simple template, using subjects such as Account Verification Required and Meta Agency Partner Invitation to prompt clicks, and each message included a link that redirected victims to credential-harvesting pages hosted on domains like vercel.app.
Attackers began by creating fake business pages, then added logos and page names designed to mimic official branding, and finally used the Business invitation mechanism to dispatch the invites, a sequence Check Point reproduced in a controlled test to confirm the method.
@facebookmail.com Invites Exploited in Phishing Thousands of Businesses
Screenshot 1 shows a phishing email sent from the legitimate @facebookmail.com domain, identified by Check Point researchers. Screenshot 2 shows another example of a similar phishing email received by a Check Point customer. (Images via Check Point Research)
Simply put, this was a brand impersonation campaign using Meta Business Suite’s infrastructure for malicious purposes. The campaign’s targets were mostly companies that rely on Meta for marketing, including automotive, education, real estate, hospitality, and finance, which makes sense because those teams regularly receive legitimate Meta notifications and are more likely to trust them.
One company received over 4,200 messages, while most saw fewer than 300. According to CPR’s blog post, it looked less like a focused attack and more like a mass send aimed at catching as many people as possible.
If you run a Facebook page for business purposes, enable multi-factor authentication for Business Suite accounts, verify any invite through the Business Support Home or Meta help pages before clicking links, and treat any unexpected @facebookmail.com messages as suspect until confirmed through your account settings or Meta support.
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators-of-compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please contact the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://hackread.com/facebookmail-com-invites-phish-facebook-business/
Comments