- Huntress Uncovers Phishing Campaign Abusing Meta Business Account Email Infrastructure and Impersonating Meta Agency Partner Program
- Victims were tricked into handing over their credentials, which the attackers exfiltrated to Telegram for account takeover, fraudulent advertising, and targeted phishing.
- Meta has since added guardrails that have killed the campaign; Huntress has released IoCs to help organizations detect related activities
Hackers abuse this and impersonate another legitimate Meta service to try to steal login credentials from the company’s business accounts.
Meta, owner of Facebook, Instagram, WhatsApp and more, allows businesses to create separate accounts and talk to each other. Emails sent from one to the other pass through the company’s infrastructure, that is, they are displayed as coming from Meta itself.
However, until recently, hackers abused this fact to send phishing emails that landed directly in their victims’ inboxes, security researchers Huntress explained. The company has even tried to curb this problem by hard-coding a disclaimer stating that the email senders are not part of or affiliated with Meta, but scammers have found creative ways to get around this as well.
Spend money
The phishing emails redirected victims to landing pages outside of Meta’s ecosystem. These pages were designed to mimic the Meta Agency Partner Program, a legitimate initiative that connects businesses with social media management professionals.
Those who didn’t see the ruse would end up trying to log into their accounts, simply sharing their login credentials with the attackers. The secrets would be exfiltrated to a Telegram account under the control of the threat actors, which they could then use for different purposes, from phishing to malvertising.
“Malicious actors can exploit Meta business accounts to spend the victim’s money on malicious or fraudulent advertising, or they can take control of the account entirely, changing recovery methods and the password, and exploit the account to deliver more targeted attacks against the company’s customers or social media followers. » explained the researchers.
Over the past few months, the campaign has evolved and changed, using different lures and mechanics, but keeping the same end goal. However, Meta effectively killed him by adding additional guardrails that now make it impossible to execute him.

The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.




