Cybercriminals are actively targeting businesses around the globe by misusing Meta’s Business Manager platform, a trusted tool in digital marketing. In a sophisticated phishing campaign, attackers send emails that mimic legitimate Meta notifications, making it difficult for recipients to distinguish between genuine and malicious messages.
How Attackers Leverage Meta’s Platform
The unique aspect of this attack is that the emails originate from Meta’s own infrastructure, lending them an unusual credibility. Cybercriminals craft fake Facebook Business pages that closely resemble genuine brands or verified Meta partners. By using professional logos and branding, these pages deceive victims into believing their authenticity.
Once these pages are operational, attackers exploit the real ‘partner request’ feature within Meta Business Manager to dispatch invitation emails to their targets. As these notifications come from the verified domain facebookmail.com, they bypass standard authentication checks like SPF and DKIM, making them challenging to detect.
Impact on Businesses Worldwide
Trustwave SpiderLabs has identified this campaign as particularly dangerous. By exploiting a feature that businesses rely on daily, attackers weaponize user trust to steal credentials. The campaign is widespread, with over 40,000 phishing emails sent to more than 5,000 organizations in the United States, Europe, Canada, and Australia.
Industries heavily dependent on Meta’s advertising tools, such as real estate, education, automotive, hospitality, and finance, are among the most affected. The attack’s scale indicates a template-driven, automated strategy, leading to significant impacts on businesses, including reputational damage and loss of client trust.
Steps to Mitigate the Threat
Victims clicking on phishing links are redirected to fake login pages resembling Meta’s interface, where they are prompted to enter credentials and sometimes a two-factor authentication (2FA) code. This approach allows attackers to gain full account control even with added security measures.
Security experts advise against clicking links in emails, even those appearing to be from trusted sources like Meta. Users should directly navigate to the platform by typing its address in the browser. Regular employee training on identifying suspicious Meta notifications can prevent such attacks. Additionally, businesses should frequently audit partner access within Meta Business Manager to ensure only authorized accounts are linked.
By implementing these practices, organizations can better protect themselves from this evolving threat landscape.
