A sophisticated phishing campaign has emerged, actively targeting businesses worldwide by abusing the trusted infrastructure of Meta’s Business Manager platform. Cybercriminals are leveraging legitimate tools within the platform to distribute deceptive emails that closely resemble authentic Meta communications, thereby increasing the likelihood of successful attacks.
To begin with, attackers create fraudulent Facebook Business pages designed to imitate real brands or verified Meta partners. These pages often feature convincing logos and branding elements that closely align with official Meta visuals. Once established, threat actors exploit the “partner request” feature within Meta Business Manager to send invitation emails directly to targeted users.
What makes this campaign particularly dangerous is the origin of these emails. Instead of using suspicious or spoofed addresses, the messages are sent via facebookmail.com — a legitimate and verified Meta domain. As a result, traditional authentication mechanisms such as SPF and DKIM fail to flag these emails as malicious, allowing them to bypass standard email security filters.
According to researchers from Trustwave SpiderLabs, threat actors are deliberately exploiting trusted Meta Business Manager partner request notifications to deliver phishing emails. They emphasized that this technique effectively weaponizes a legitimate feature widely used by businesses, making it significantly more challenging to detect and prevent.
Moreover, the campaign operates at a considerable scale. Researchers identified over 40,000 phishing emails sent to more than 5,000 organizations across regions including the United States, Europe, Canada, and Australia. Industries heavily reliant on Meta’s advertising ecosystem—such as real estate, education, automotive, hospitality, and financial services—have been particularly impacted.
In some cases, organizations received hundreds of phishing emails, while one company alone was targeted with more than 4,200 messages. This clearly indicates a highly automated, template-driven attack designed for mass distribution rather than precise targeting.
Furthermore, the consequences of a successful breach can be severe. Once attackers gain access to a Meta Business Manager account, they can launch fraudulent ad campaigns, drain advertising budgets, impersonate businesses, and even demand ransom. This not only leads to financial losses but also damages brand reputation and customer trust.
Small and mid-sized businesses remain especially vulnerable, as their teams frequently interact with legitimate Meta notifications, making them more likely to trust such emails.
When victims click on malicious links embedded in these emails, they are redirected to fake login pages that closely replicate Meta’s official interface. These pages are often hosted on external domains like vercel.app to evade detection. Victims are prompted to enter credentials, business email details, and sometimes even two-factor authentication codes.
Alarmingly, this allows attackers to bypass 2FA protections and gain immediate access to accounts in real time.
Security experts strongly recommend that users avoid clicking on email links, even if they appear to come from trusted sources. Instead, they should manually navigate to official platforms. Additionally, organizations should train employees to identify suspicious notifications and regularly audit partner access within Meta Business Manager.
Recommended Cyber Technology News:
- Solana Launches STRIDE Framework to Boost DeFi Security
- Keeper Security Highlights Risks in Non Human Identity Security
- Barndoor Expands AI Governance With Microsoft 365 Integration
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
