Hackers Exploit Meta Business Manager Notifications for Phishing Attacks
Key Takeaways A new phishing campaign is actively exploiting Meta’s Business Manager platform to target businesses globally. Threat actors are leveraging legitimate Meta infrastructure and the...
Key Takeaways
- A new phishing campaign is actively exploiting Meta’s Business Manager platform to target businesses globally.
- Threat actors are leveraging legitimate Meta infrastructure and the “partner request” feature to send highly credible phishing emails from verified Meta domains, bypassing standard email security checks.
- The campaign has targeted over 5,000 organizations, primarily in industries reliant on Meta advertising, with attackers aiming to steal credentials, hijack ad accounts, and inflict significant financial and reputational damage.
- Victims are redirected to sophisticated fake login pages designed to harvest Meta credentials and even bypass 2FA, granting attackers full account control.
Sophisticated Phishing Campaign Abuses Meta Business Manager Notifications
Businesses worldwide are currently facing a sophisticated phishing campaign that leverages Meta’s own Business Manager platform, turning a trusted digital marketing tool into a potent weapon for cybercriminals. This operation stands out due to its unusual ability to bypass conventional email security measures, making it exceptionally difficult for users to distinguish legitimate communications from malicious traps.
Table Of Content
The core of this attack lies in its ability to send deceptive emails that appear to originate directly from Meta’s infrastructure. Unlike typical phishing attempts that rely on spoofed or suspicious email addresses, these messages are generated and dispatched from genuine Meta domains, specifically facebookmail.com. This authentic origin renders standard email authentication protocols such as SPF and DKIM largely ineffective against the campaign, granting the phishing emails an unprecedented level of credibility.
How the Attack Unfolds
The process begins with cybercriminals establishing fraudulent Facebook Business pages. These pages are meticulously crafted to impersonate well-known brands or verified Meta partners, featuring professional logos and names that closely mimic official Meta branding. Once these deceptive pages are active, attackers exploit a legitimate feature within Meta Business Manager: the “partner request” function. By sending partner invitations, they trigger Meta’s system to dispatch official notification emails to their intended targets.
According to analysts at Trustwave SpiderLabs, who first identified and detailed this campaign, the technique is particularly insidious because it subverts a platform feature that businesses rely on daily. Researchers highlighted that the inherent trust users place in familiar platforms like Meta significantly complicates defense efforts, as technical countermeasures alone are often insufficient.
Scale and Impact
The campaign’s reach is substantial, with researchers tracking over 40,000 phishing emails delivered to more than 5,000 organizations. These targets span across the United States, Europe, Canada, and Australia. Industries that heavily depend on Meta’s advertising ecosystem, including real estate, education, automotive, hospitality, and finance, have been disproportionately affected.
While many organizations received hundreds of these malicious messages, one particular company was inundated with over 4,200 phishing emails, suggesting an automated, template-driven approach designed for broad dissemination rather than highly targeted attacks.
The ramifications of falling victim to this campaign extend far beyond a simple account compromise. Attackers gaining access to a Meta Business Manager account can initiate unauthorized advertising campaigns, deplete ad budgets, impersonate the compromised business to defraud clients, and even hold the account hostage for ransom. The resulting reputational damage and erosion of client trust can be severe, leading to costly and protracted recovery efforts. Small and mid-sized businesses, whose employees frequently interact with genuine Meta Business notifications, are particularly vulnerable.
How the Credential Theft Works
Upon clicking the embedded link within the phishing notification, victims are redirected to a meticulously crafted counterfeit login page. These fake pages are designed to perfectly mimic Meta’s official login interface and are often hosted on external domains, such as vercel.app, to evade immediate detection by security tools. Victims are prompted to enter their Meta credentials, business email address, and, alarmingly, in some instances, a two-factor authentication (2FA) code. This 2FA bypass capability is especially concerning, as it allows attackers to seize full control of an account even when additional security layers are enabled. The stolen data is harvested in real time, granting attackers immediate access before the victim is aware of the compromise.
What You Should Do
- Exercise Extreme Caution with Email Links: Never click on links within emails, even if they appear to originate from a trusted source like Meta. Always navigate directly to the platform by manually typing the official address into your browser.
- Enable and Verify Multi-Factor Authentication (MFA): While MFA is crucial, be highly suspicious of any request to enter verification codes on a page reached via an email link. Always confirm the legitimacy of the login page before providing any credentials or codes.
- Conduct Regular Employee Training: Implement ongoing security awareness training to educate employees on how to identify and question unexpected Meta Business notifications, especially those soliciting account verification or participation in advertising programs.
- Audit Partner Access: Periodically review and audit all partner access permissions within your Meta Business Manager account. Immediately remove any unrecognized or unauthorized accounts to mitigate potential insider threats.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.