Phishers Exploit Meta Business Account Manager
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
An unidentified threat actor is abusing Meta’s legitimate Business Manager service to deliver highly convincing phishing emails. The messages use a manipulated business name that contains a URL, encouraging targets to visit phishing sites or interact with Facebook Messenger chatbots. The campaign is designed to steal Meta account credentials, MFA codes, and identity documents.
Investigation
Huntress analyzed the attack chain after detecting a phishing email in a honeypot in June 2026. The investigation showed a shift from earlier Google Sites redirect methods to a more advanced approach using Facebook Messenger chatbots and iFramed phishing pages. Researchers also traced exfiltration activity through domains such as api.goautolink.com and associated Telegram bots.
Mitigation
Meta has introduced technical controls that lock business accounts attempting to use URLs in business names. Users should remain cautious of unexpected business partnership requests and carefully inspect any linked destinations. Avoiding suspicious links in emails, even when the sender appears legitimate, remains a key line of defense.
Response
When suspicious business partnership requests are detected, administrators should confirm their legitimacy through official Meta channels. If credentials or identity documents are exposed, account recovery and MFA reset actions should be initiated immediately. Organizations should also monitor Meta Business Manager accounts for any unauthorized access or changes.
Attack Flow
Detections
Suspicious Command and Control by Unusual Top Level Domain (TLD) DNS Request (via dns)
View
File With Suspicious Extension Donwloaded From Domain With Uncommon TLD (via proxy)
View
Detection of Domains Used in Meta Phishing Attacks [Google Cloud Platform]
View
Detect Phishing Lure Emails Using Business Manager Service [Google Cloud Platform]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands: The adversary has sent a phishing email masquerading as a Meta Business Manager notification. To automate the testing of their phishing link or to scrape information from a landing page using a localized script, the attacker executes a PowerShell script. This script contains the hardcoded malicious URLs:
sites.google.com/view/profile1012andaussiecleaningservices.com. When the script executes, the PowerShell engine logs the full content of the script block, which contains these strings, thereby triggering the detection rule. -
Regression Test Script:
# Simulation script to trigger the detection rule by including the malicious URLs in a script block. $maliciousUrl1 = "https://sites.google.com/view/profile1012" $maliciousUrl2 = "http://aussiecleaningservices.com/login" Write-Host "Simulating phishing link processing..." $testString = "Processing links: $maliciousUrl1 and $maliciousUrl2" Write-Output $testString -
Cleanup Commands:
# No permanent changes made to the system; no cleanup required. # If transcription files were created, remove them: # Remove-Item C:Users<User>DocumentsPowerShell_Transcript.txt -ErrorAction SilentlyContinue