Meta Business Notifications Used for Phishing Attacks
A phishing campaign has been observed abusing legitimate Meta Business Manager functionality to deliver deceptive emails that appear fully authentic. The activity leverages real platform-generated notifications, allowing attackers to bypass traditional email trust controls and target organizations at scale.
What Happened
Threat actors are using Meta Business Manager’s partner request feature to send phishing emails through legitimate infrastructure. Because these notifications are generated by the platform itself, they are delivered from trusted domains such as:
- facebookmail.com
This makes them indistinguishable from legitimate Meta communications at the email level. The campaign has affected thousands of organizations across multiple regions and industries.
How the Attack Works
The attack does not rely on spoofing. It relies on platform abuse.
The sequence is straightforward:
- attackers create fake business pages that resemble legitimate entities
- they send partner requests through Meta Business Manager
- Meta generates and sends official notification emails to targets
- users receive emails that appear fully legitimate
- embedded links lead to counterfeit login pages
- credentials and session data are collected in real time
In some cases, attackers also capture two-factor authentication (2FA) codes during the login process.
Impact
Once access is obtained, attackers can:
- take control of Meta Business Manager accounts
- run fraudulent advertising campaigns
- drain advertising budgets
- impersonate businesses
- disrupt operations or demand ransom
The impact is not limited to account compromise. It extends to brand trust and customer relationships.
Why This Matters
This is not a typical phishing campaign. It represents a shift in delivery methods.
Three key observations:
1. Trusted platforms are being weaponized
Attackers no longer need to mimic legitimacy.
They use it directly.
2. Email security controls are bypassed by design
SPF, DKIM, and domain checks do not help when the source is real.
3. User expectation becomes the attack vector
The attack works because the message looks correct and expected.
DIAMATIX Perspective
This case highlights a growing pattern. Attackers are moving away from imitation. They are leveraging real systems. The entry point is not a malicious email.
It is a legitimate notification used maliciously.
This changes how organizations must think about phishing.
Traditional defenses focus on:
- sender validation
- domain reputation
- known indicators
But here:
- the sender is legitimate
- the infrastructure is trusted
- the message is expected
The only reliable control shifts to:
- user awareness of context, not just appearance
- monitoring of account activity after authentication
- visibility into abnormal platform interactions
- rapid response when access is misused
The challenge is no longer identifying fake messages. It is identifying legitimate messages used for malicious purposes.
Conclusion
This campaign demonstrates how trust itself becomes part of the attack surface. As platforms become more integrated into daily operations, their features can be repurposed in ways they were never designed for.
Security must adapt to that reality.
Sources
Trustwave SpiderLabs. Analysis of Meta Business Manager phishing campaign
