Phishing Lure: This phishing campaign delivers a deceptive "Partner Portal Access Downgrade" notification, impersonating a business platform and claiming that the recipient’s access to sensitive assets has been temporarily revoked due to policy violations.
Forced Entry: Phishers Abuse Salesforce Sites
A multi-layered redirect chain uses trusted infrastructure to bypass SEGs.
What is the attack?
Salesforce Sites: The attacker uses a *.my.salesforce-sites.com page as an intermediate redirector, which includes JavaScript to delay and obscure the final phishing destination.
Why did it get through?
Obfuscated Link: The phishing link is wrapped in a trusted ct.sendgrid.net domain, commonly used by legitimate SaaS platforms. This masks the destination and allows the email to bypass link reputation filters and detection systems.
Legitimate Hosting: The intermediate redirector is hosted on Salesforce Sites,a feature that allows organizations to host public-facing web pages on top of the Salesforce platform.
URL Crawling/Analysis Protection: The added Captcha functionality limits automated link crawling and URL analysis features, increasing the difficulty for automated detection.
What is required to solve for this attack?
Behavioral Analysis: Abnormal’s Behavioral AI flags never-before-seen senders, unusual email content, and URLs as anomalies that enable the detection of novel attacks.
Defense-in-depth: This pairs well for defense in depth with the Cloud Email Platform (M365’s) Threat Intelligence layer.