I recently investigated a phishing campaign targeting Gmail users that exploits Salesforce infrastructure and Google support processes. The attackers use these trusted platforms to make their phishing emails appear credible and bypass spam filters. Orginal article reporting on the scam: (https://sammitrovic.com/infosec/gmail-account-takeover-super...)
Key Findings:
Exploitation of Salesforce Email Infrastructure: Phishing emails are relayed through Salesforce’s systems, using legitimate headers (e.g., X-SFDC-LK) and passing SPF, DKIM, and DMARC authentication.
Abuse of Google Support Processes: Emails impersonate Google Workspace Support (workspacesupport@google.com) and direct victims to attacker-controlled domains. Replies are routed to googlemail@internalcasetracking.com.
Social Engineering: Attackers use AI-driven phone calls to enhance the credibility of their phishing attempts.
Indicators of Compromise (IoCs): Includes domains, IP addresses, and email addresses associated with the attack.
This technique is scalable and can be applied to any Google-based domain, posing a wide-reaching threat.
The domain (internalcasetracking.com) used in the attack remains active. I’ve reported the activity to the appropriate security teams and am collaborating with Sam, who originally wrote about this scam.
Sharing this here to raise awareness and facilitate further investigation.
I recently investigated a phishing campaign targeting Gmail users that exploits Salesforce infrastructure and Google support processes. The attackers use these trusted platforms to make their phishing emails appear credible and bypass spam filters. Orginal article reporting on the scam: (https://sammitrovic.com/infosec/gmail-account-takeover-super...)
Key Findings:
Exploitation of Salesforce Email Infrastructure: Phishing emails are relayed through Salesforce’s systems, using legitimate headers (e.g., X-SFDC-LK) and passing SPF, DKIM, and DMARC authentication.
Abuse of Google Support Processes: Emails impersonate Google Workspace Support (workspacesupport@google.com) and direct victims to attacker-controlled domains. Replies are routed to googlemail@internalcasetracking.com.
Social Engineering: Attackers use AI-driven phone calls to enhance the credibility of their phishing attempts.
Indicators of Compromise (IoCs): Includes domains, IP addresses, and email addresses associated with the attack.
This technique is scalable and can be applied to any Google-based domain, posing a wide-reaching threat.
The domain (internalcasetracking.com) used in the attack remains active. I’ve reported the activity to the appropriate security teams and am collaborating with Sam, who originally wrote about this scam.
Sharing this here to raise awareness and facilitate further investigation.
Here's another discovery I made, it looks like they are using wordplay:
"Ceci n'est pas" (French for "This is not"):
1 ceci.njalla.do
2 nest.pipe.ma
3 pas.njalla.in
Translates loosely to "This is not domain information" or "This is not DO (Domain Operations)."
"You can get no info":
1 you.njalla.no
2 can.njalla.in
3 get.njalla.fo
If anyone has come across something similar, wordplay, etc, if would be interesting to hear.