Devious phishing campaign hijacks a genuine Meta business feature to send scam emails — as they really do come from Meta's own address
Meta has put a stop to this attack
- Huntress uncovers phishing campaign abusing Meta’s business account email infrastructure and impersonating the Meta Agency Partner Program
- Victims were tricked into handing over credentials, which attackers exfiltrated to Telegram for account takeover, scam ads, and targeted phishing
- Meta has since added guardrails that killed the campaign; Huntress published IoCs to help organizations detect related activity
Hackers are abusing one, and impersonating another legitimate Meta service, to try and steal login credentials for people’s business accounts with the company.
Meta, the owner of Facebook, Instagram, WhatsApp, and more, allows businesses to set up separate accounts and talk to each other. The emails sent from one to another pass through the company’s infrastructure, meaning they are shown as coming from Meta itself.
However up until recently, hackers were abusing this fact to send phishing emails that landed directly into their victims’ inboxes, security researchers Huntress explained. The company even tried to curb this by hardcoding a disclaimer that email senders are not part, or affiliated with, Meta, but crooks found creative ways around this, as well.
Spending money
The phishing emails redirected victims to landing pages outside Meta’s ecosystem. These pages were designed to mimic Meta Agency Partner Program, a legitimate initiative that connects businesses with professionals in social media management work.
Those who would fail to see the ruse would end up trying to log into their accounts, instead just sharing their login credentials with the attackers. The secrets would get exfiltrated to a Telegram account under the threat actors’ control, which they could later use for different things, from phishing to malvertising.
“Threat actors can leverage Meta business accounts to spend the victim's money on malicious or scam advertising, or they can take over the account entirely, changing the recovery methods and password, and leverage the account to transmit more targeted attacks at the business' customers or social media followers.” the researchers explained.
Over the last couple of months, the campaign evolved and changed, using different lures and mechanics, but keeping the same end goal. However, Meta has effectively killed it by adding additional guardrails that now make it impossible to run.
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.