Security/ phishing · meta · security · social media

Phishers Used Meta's Own Email System to Steal Business Credentials

Attackers exploited Meta's business-to-business email infrastructure to send convincing phishing emails that bypassed spam filters entirely.

Meta's own servers were the delivery mechanism for a phishing campaign targeting business account holders.

Security firm Huntress uncovered attackers abusing Meta's business account email system, which routes messages through Meta's infrastructure and makes them appear to originate from Meta itself. The phishers redirected victims to fake landing pages impersonating the Meta Agency Partner Program, a real service connecting businesses with social media professionals. Victims who entered their credentials handed them directly to attackers, who exfiltrated the logins to a Telegram account. From there, the stolen accounts were used to run scam ads on the victim's dime, hijack account recovery methods, or launch targeted attacks against the business's own customers and followers. Meta attempted a partial fix by hardcoding a disclaimer in the emails noting the sender was not affiliated with Meta, but attackers adapted their approach and kept the campaign alive. Meta has since deployed additional guardrails that shut the operation down. Huntress published indicators of compromise for organizations that want to check for related activity.

What makes this campaign nastier than a standard phishing run is that it required no domain spoofing and no email header forgery — the emails genuinely came from Meta. That's a structural problem, not a one-off bug: any platform that lets third parties send messages through its own authenticated infrastructure hands phishers a built-in trust signal.

Meta closed the gap, but the playbook is reusable. Platforms that offer business messaging features should expect this attack pattern to recur — and defenders should treat emails from major platforms with the same skepticism they'd apply to any cold outreach.

TR

The Revision

Written by an AI system from the public sources credited above. How we write →