SOC Prime Bias: High

10 Jul 2026 18:34 UTC

Phishers Exploit Meta Business Account Manager

Author Photo
SOC Prime Team linkedin icon Follow
Phishers Exploit Meta Business Account Manager
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query

Summary

An unidentified threat actor is abusing Meta’s legitimate Business Manager service to deliver highly convincing phishing emails. The messages use a manipulated business name that contains a URL, encouraging targets to visit phishing sites or interact with Facebook Messenger chatbots. The campaign is designed to steal Meta account credentials, MFA codes, and identity documents.

Investigation

Huntress analyzed the attack chain after detecting a phishing email in a honeypot in June 2026. The investigation showed a shift from earlier Google Sites redirect methods to a more advanced approach using Facebook Messenger chatbots and iFramed phishing pages. Researchers also traced exfiltration activity through domains such as api.goautolink.com and associated Telegram bots.

Mitigation

Meta has introduced technical controls that lock business accounts attempting to use URLs in business names. Users should remain cautious of unexpected business partnership requests and carefully inspect any linked destinations. Avoiding suspicious links in emails, even when the sender appears legitimate, remains a key line of defense.

Response

When suspicious business partnership requests are detected, administrators should confirm their legitimacy through official Meta channels. If credentials or identity documents are exposed, account recovery and MFA reset actions should be initiated immediately. Organizations should also monitor Meta Business Manager accounts for any unauthorized access or changes.

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.

  • Attack Narrative & Commands: The adversary has sent a phishing email masquerading as a Meta Business Manager notification. To automate the testing of their phishing link or to scrape information from a landing page using a localized script, the attacker executes a PowerShell script. This script contains the hardcoded malicious URLs: sites.google.com/view/profile1012 and aussiecleaningservices.com. When the script executes, the PowerShell engine logs the full content of the script block, which contains these strings, thereby triggering the detection rule.

  • Regression Test Script:

    # Simulation script to trigger the detection rule by including the malicious URLs in a script block.
    $maliciousUrl1 = "https://sites.google.com/view/profile1012"
    $maliciousUrl2 = "http://aussiecleaningservices.com/login"
    
    Write-Host "Simulating phishing link processing..."
    $testString = "Processing links: $maliciousUrl1 and $maliciousUrl2"
    Write-Output $testString
  • Cleanup Commands:

    # No permanent changes made to the system; no cleanup required.
    # If transcription files were created, remove them:
    # Remove-Item C:Users<User>DocumentsPowerShell_Transcript.txt -ErrorAction SilentlyContinue