A new report released today by phishing detection and response solutions company Cofense Inc. warns that Meta Platforms Inc. business accounts are being targeted by a sophisticated phishing campaign.

The report details a phishing operation that has the ability to bypass multifactor authentication protections, which are meant to prevent accounts from unauthorized access. According to Cofense, the phishing campaign is not only highly targeted but also widespread, impacting users across 19 different countries and even leverages emails crafted in different languages.

Where the campaign becomes arguably interesting is that it specifically exploits Meta business accounts through emails that pretend to be official communications from Meta. The emails used by the attackers claim that the Meta business user has breached policy guidelines or hit copyright issues. Given how fickle the guidelines are on services such as Facebook, the recipients struggle to tell whether the phishing emails are real or not.

You can post naked breasts and advertise Nazi armbands on Facebook and not breach its “guidelines,” but if you say a naughty word, you’re immediately in trouble. The complete inconsistency from Meta regarding guidelines is what the phishing campaign is taking advantage of.

In addition, the Cofense report found that phishing emails are crafted to evade detection by secure email gateways, allowing them to reach the inboxes of enterprise users. The toolkit used by those behind the campaign includes mechanisms for generating phishing emails, creating and checking malicious links and maintaining a list of potential targets.

The tools used by those behind the phishing campaign include capabilities for creating Netlify App links, checking if these links are still active, generating targeted emails and tracking the financial profit from their operations. The level of organization is said to underscore the financial motivations behind the campaign and a high degree of technical proficiency.

“Given the complexity of the phishing email side of things, there’s no doubt that a successful compromise of a Meta ad account will lead to a more advanced attack like an ad fraud campaign,” the Cofense researchers write in the report. “This type of attack can lead to huge financial loss for a business and potentially followers of the business page itself.”

Photo: Meta