📈 Read the 2026 Salesforce Threat Landscape Report
Back to blog

Abusing Facebook Business Manager Workflows via Template Injection for Phishing and Account Compromise

WithSecure Cloud Protection for Salesforce has identified an active phishing campaign targeting Microsoft 365 users that extends beyond traditional email delivery.

Karmina Aquino April 24th, 2026
Phishing attacks are no longer confined to the inbox.

In April 2026, WithSecure Cloud Protection for Salesforce (CPSF) identified a phishing campaign that did not rely on spoofed emails or compromised infrastructure. Instead, it leveraged Facebook’s own notification system to deliver malicious content through fully authenticated, legitimate communications.

What initially appeared to be a standard phishing operation revealed a more sophisticated design upon closer inspection, not because of the phishing infrastructure itself, but because the attack operated entirely within trusted Facebook Business Manager workflows.

The malicious URLs were not distributed through spoofed or compromised email systems. Instead, they were embedded in legitimate emails sent directly from Facebook’s own infrastructure. These messages passed SPF, DKIM, and DMARC authentication without issue, making them indistinguishable from genuine communications at the email security layer.

Further analysis revealed that this campaign does not rely on a single attack path. Instead, it combines a shared injection technique, multiple delivery channels, and different attack objectives, all operating within trusted Facebook Business Manager workflows.

Key Takeaways

  • Attackers are exploiting platform-native workflows rather than relying on traditional email spoofing
  • A single template injection technique can be reused across multiple Facebook notification workflows to distribute malicious content
  • Legitimate Facebook notification emails can be repurposed as phishing delivery channels
  • The campaign supports multiple objectives, including credential harvesting and unauthorized access to business assets
  • Detection must extend beyond email into business platforms where content is consumed and acted upon

Detection Context

The campaign was detected not at the email layer, but within Salesforce workflows where the content was ultimately consumed. WithSecure Cloud Protection for Salesforce classified the malicious URLs as Malicious:Network/Generic during content inspection as they propagated through business processes.

This reflects a broader pattern observed across multiple campaigns: attackers are designing threats to survive perimeter controls and rely on downstream interaction within trusted business systems.

Attack Model

This campaign is best understood across three layers:

Technique

  • Template injection through Business Manager profile fields, allowing attacker-controlled content to be embedded in notification emails

Delivery Channels

  • Partner access request notifications, which target organizations, can lead to credential compromise or unauthorized access if approved
  • Business portfolio user invitations, which target individual users, are primarily used as a phishing delivery mechanism

Objectives

  • Credential harvesting through phishing pages designed to capture user credentials and MFA codes
  • Unauthorized access to business assets through approved partner relationships within Facebook Business Manager

The attacker reuses the same injection technique across multiple Facebook workflows to distribute malicious content through trusted communication channels. Rather than following a single linear path, the attack leverages different workflows to achieve different outcomes depending on how the victim interacts.

Attack Flow: Template Injection Across Multiple Workflows

The diagram below illustrates the conceptual model of the attack, starting from the injection technique and branching into multiple delivery workflows.

Facebook Business Manager Attack Flow

Step 1: Template Injection Setup

The attacker creates or compromises a Facebook Business Manager account.

Business Portfolio Information

Step 2: Delivery Mechanisms

The attacker selects one of two delivery mechanisms:

A: Partner Access Request

  • Objectives: Account Access, Credential Phishing
  • Target: Organizations with Business Manager accounts
  • Lure Themes:
    • Meta Agency Partner Program presents targets with a “Partnership Registration Form” and a “Join Meta Agency Program” call to action
    • Account deletion / locked within 24 hours” uses urgency and an “Appeal Form”
  • Attacker identifies target organizations’ business IDs via publicly accessible information
  • Sends a legitimate partner access request, often requesting broad permissions across multiple business assets
  • Facebook delivers an authenticated notification email

Access Request Process

Permission request includes full access control

If approved, the attacker gains authorized access. This requires minimal reconnaissance: only a Page ID or Ad Account ID is needed, which is often publicly accessible.

Impact:

  • No credential theft required
  • Access appears legitimate in audit logs
  • Persistence remains even after password changes
  • Enables control over ad accounts, pages, and associated assets

This is functionally similar to Business Email Compromise (BEC) but executed entirely within platform-native workflows.

B: Business Portfolio User Invitation

  • Objective: Credential Phishing
  • Target: Any user via email address
  • Lure Theme: “Free verified blue badge” exploits aspiration for account credibility to trigger action
  • Sends a legitimate invitation to join the attacker’s business portfolio, targeting users via email
  • Facebook sends a legitimate invitation email

Business Portfolio User Invitation Form

Step 3: Template Injection in Notification Emails

In both delivery paths, Facebook inserts attacker-controlled business profile information directly into its email templates without sanitization. This allows phishing URLs and social engineering content to appear seamlessly within legitimate notification emails.

Sample Email Via Partner Access Request

Sample Email Via User Invitation

Step 4: Target Interaction

The target receives a legitimate Facebook email and interacts with it:

Path 1 — Phishing:

  • Target clicks embedded link in the message
  • Redirected to cloned Meta portal
  • Target is prompted to provide personal information and credentials
  • Personal data, credentials, and MFA codes are submitted

Loading page

Fake Meta Page for Meta Agency Partner Program Lure

Fake Meta Page for Page Deletion Lure

Fake Blue Badge Lure

Fake Partnership Registration Form

Fake Appeal Form

Fake Blue Badge Form

Password Prompt

MFA Prompt

MFA Prompt

Path 2 — Access Approval:

  • Target clicks “View request” directly from Facebook email notification
  • Approves partner access

Partner Access Request Link

Step 5: Outcomes

Credential harvesting path:

The attacker can use the collected identity data for:

  • Account recovery abuse and full account takeover of compromised Facebook identities
  • Reuse of collected identity data across other platforms or social engineering campaigns
  • Perform ad fraud using compromised business assets and advertising accounts
  • Resell access to compromised accounts or business assets for financial gain

Access approval path:

  • The attacker gains sanctioned access within Facebook’s own platform
  • No credentials stolen
  • Access persists even if the user later changes their password
  • The attacker can access Pages, Ad Accounts, Pixels, or whatever the target approves
  • It looks like a legitimate business relationship in Facebook’s audit logs

These attack paths collectively result in:

  • Social engineering content embedded in trusted communication
  • Phishing URLs delivered through authenticated infrastructure
  • Increased credibility due to platform branding

This is not a traditional vulnerability, but rather an abuse of unvalidated input within a trusted workflow.

Detection Telemetry

This threat is covered by our generic detection, Malicious:Network/Generic.

Detection telemetry indicates activity as early as May 2025, with a significant increase from March 2026 and a peak in April 2026. This gradual ramp-up suggests iterative refinement of the technique rather than opportunistic use.

Detection Activity Trend

Domain Usage

Domain age analysis reveals a consistent operational pattern:

  • 96.4% of domains were registered within the last 7 days of being observed in customer environments
  • 3.15% were between 8 and 14 days old
  • Only a negligible proportion exceeding 90 days

This concentration in newly registered domains is operationally significant. At a domain age threshold of ≤7 days, this control alone would have covered the vast majority of observed detections.

For organisations seeking an additional defensive layer against campaigns relying on fresh infrastructure, enabling domain age filtering represents a low-friction, high-coverage mitigation.

Domain Age Blocking in CPSF Configuration

How This Differs from Previous Campaigns

While this campaign shares similarities with previously observed Microsoft 365 phishing activity, particularly the use of trusted infrastructure, it introduces several notable differences:

  • The attack operates entirely within platform-native workflows rather than relying solely on email delivery channels such as email attachments or calendar invites
  • A single template injection technique is reused across multiple notification workflows, enabling consistent delivery of malicious content through different contexts
  • Multiple delivery channels are leveraged simultaneously, including both organization-targeted and user-targeted workflows
  • Attacker-controlled input is rendered inside legitimate platform notifications, effectively turning trusted templates into delivery mechanisms
  • Successful compromise may not involve credential theft at all, instead relying on user-approved access grants that persist within the platform

Conclusion

This campaign reinforces a broader trend: attackers are increasingly operating within trusted systems rather than attempting to evade them. By exploiting multiple Facebook Business Manager workflows, the attacker transforms legitimate platform functionality into both a delivery mechanism and an attack surface. The ability to combine multiple workflows with different objectives, ranging from credential harvesting to unauthorized access, significantly increases both reach and effectiveness.

As demonstrated in this campaign, detection occurred not at the point of delivery, but within Salesforce workflows, where the content was ultimately consumed and acted upon. This highlights a fundamental shift: perimeter controls alone are insufficient when threats are designed to appear indistinguishable from legitimate platform activity.

Effective security must extend into business applications and workflows, where trust, context, and user interaction converge and where modern attacks are ultimately executed.

Recommendations

Governance and Access Control

  • Define strict approval processes for Facebook Business Manager partner requests
  • Treat partner access as equivalent to third-party vendor onboarding
  • Limit approval authority to a controlled set of users

Monitoring and Audit

  • Regularly audit Business Manager partner relationships
  • Remove unrecognized or unnecessary access

User Awareness

  • Train marketing and social media teams on platform-native attacks
  • Emphasize that legitimate emails can still contain malicious content

Technical Controls

  • Enable domain age filtering (e.g., block domains <7 days old)
  • Implement content-level URL inspection across business platforms
  • Extend detection beyond email gateways into SaaS environments

Operational Practices

  • Treat unsolicited partner requests as suspicious by default
  • Validate requests through independent communication channels
  • Establish incident response playbooks specific to SaaS platform abuse

Indicators of Compromise

  • member365[.]agency-partner-register[.]com
  • pagequalitycenter[.]click
  • pageoperationscenter[.]click
  • pageperformancecenter[.]click
  • trustedpageportal[.]click
  • trustedpagesupport[.]click
  • controlreport[.]click
  • supportcenter[.]agency-partner-community[.]com
  • smart-service-portal[.]help
  • support254[.]agency-partner-manage[.]com
  • online-service-portal[.]help
  • contactauthcenter[.]click
  • contactpagesupport[.]click
  • helpforpage[.]online
  • transparency-violations-compl[.]click
  • freebluecheckfanpage[.]click

Karmina Aquino
Karmina Aquino is Head of Threat Intelligence for Cloud Protection for Salesforce at WithSecure. With over two decades in the cybersecurity industry, she brings expertise in threat detection, threat analysis, and threat intelligence. Her work focuses on understanding evolving cyber threats and developing effective strategies to detect and defend against them.