Security researchers have uncovered a large-scale phishing operation abusing Meta’s own infrastructure to trick Facebook Business users into revealing login credentials.
According to GBHackers, researchers have identified a global phishing campaign that used Meta’s legitimate Business Suite tools to distribute fraudulent notifications. The operation sent over 40,000 phishing emails to more than 5,000 businesses across the US, Europe, Canada, and Australia. Industries most affected included automotive, education, real estate, hospitality, and finance, all heavily reliant on Facebook advertising.
Threat actors created fake Facebook Business pages using authentic-looking Meta logos and names. They then used the Business Suite invitation feature to send phishing messages from facebookmail.com, a genuine Meta domain. Because the messages came from a trusted source, they bypassed most domain-based email security checks.
The phishing emails mimicked legitimate Meta alerts, with subject lines like “Action Required: You’re Invited to Join the Free Advertising Credit Program” and “Account Verification Required.” Clicking the embedded links redirected users to fake login pages hosted on external domains such as vercel.app, where credentials and sensitive business data were harvested.
Researchers replicated the attack in a controlled experiment, demonstrating how easily the Business Suite’s invitation feature could be weaponized. Their telemetry data showed that while most victims received a few hundred emails, one company received more than 4,200, evidence of a mass phishing template rather than targeted spear-phishing.
Small and mid-sized businesses were hit hardest. Because these organizations frequently engage with legitimate Meta Business notifications, they were more likely to trust and act on such messages.
Researchers reported that the campaign’s effectiveness stemmed from the attackers’ use of a real Meta domain, which lends credibility and evades most automated filters. The firm has since updated its SmartPhish solution to detect similar campaigns using behavioral and AI-driven analysis.
Security experts advise businesses to train employees to recognize unusual or unsolicited Meta communications, enable multi-factor authentication, and access Meta accounts directly rather than through email links.
According to a recent analysis on Medium, this type of activity marks a shift in how phishing campaigns will operate going forward. As the report warned, “this attack is more than a clever trick, it’s a blueprint for the future of phishing.” By abusing trusted ecosystems like Meta’s own tools and domains, “attackers can sidestep almost every traditional defense layer,” making even legitimate-looking system emails a potential threat. The author noted that “your ad accounts, customer data, and brand reputation all hinge on a few login credentials. Protect them like the assets they are,” a reminder that platform trust alone is no longer enough to guarantee safety.
Unlike traditional phishing, this campaign used legitimate Meta systems and domains to send messages, making them appear authentic and much harder to detect.
Users should avoid clicking on embedded links in emails. Instead, log in directly to the Meta Business Suite or Ads Manager from the official Meta website to verify any alerts.
Smaller organizations often have fewer security layers and receive frequent legitimate Meta notifications, making employees more likely to trust and respond to fraudulent messages.
Deploying email gateways with behavioral or AI-based threat detection, enforcing multi-factor authentication, and regularly updating security awareness training can greatly reduce risk.
As attackers increasingly exploit trusted platforms, the security industry will need to move beyond static domain reputation checks toward adaptive, context-aware systems that analyze sender behavior and intent.