Hackers Abuse Legitimate Meta Business Manager Notifications to Deliver Phishing Emails

A new phishing campaign is actively targeting businesses worldwide by exploiting one of the most trusted tools in digital marketing — Meta’s Business Manager platform.

Cybercriminals have found a clever way to send deceptive emails that look exactly like genuine Meta notifications, making it nearly impossible for users to tell a legitimate message from a trap.

What sets this attack apart is that the emails do not come from a fake or suspicious address — they originate directly from Meta’s own infrastructure, giving the campaign an unusual level of credibility.

The attack starts when cybercriminals create fraudulent Facebook Business pages built to resemble real brands or verified Meta partners. These pages use professional-looking logos and names that closely mimic official Meta branding.

Once a fake page is live, the attackers exploit the platform’s legitimate “partner request” feature inside Meta Business Manager to send invitation emails to their targets.

Since this is a real Meta tool, the notifications it generates are sent from facebookmail.com — a genuine and verified Meta communication domain — making them nearly impossible to flag using standard authentication checks like SPF and DKIM.

Trustwave SpiderLabs analysts identified this campaign and noted that threat actors are deliberately abusing legitimate Meta Facebook Business Manager partner request notifications to deliver phishing emails to unsuspecting users.

SpiderLabs researchers highlighted that the technique is particularly dangerous because it turns a trusted platform feature — one that businesses rely on daily — into a reliable weapon for stealing credentials.

The campaign exploits the inherent trust that users place in familiar platforms, making it significantly harder for organizations to defend through technical means alone.

The scale of this campaign is considerable. Researchers tracked over 40,000 phishing emails sent to more than 5,000 organizations across the United States, Europe, Canada, and Australia.

Industries that rely heavily on Meta’s advertising tools — such as real estate, education, automotive, hospitality, and finance — were among the hardest hit.

While most organizations received a few hundred of these messages, one company alone received more than 4,200 phishing emails, pointing to a template-driven, automated attack built for wide reach rather than precise targeting.

The consequences of falling for this campaign extend well beyond a single compromised account. Attackers who gain access to a Meta Business Manager account can launch fraudulent ad campaigns, drain advertising budgets, impersonate the business to deceive clients, and even hold the account hostage for ransom.

Reputational damage and loss of client trust can follow quickly, making recovery both time-consuming and costly.

Small and mid-sized businesses face the greatest risk because their staff routinely receives genuine Meta Business notifications and are therefore far more likely to trust and respond to them.

How the Credential Theft Works

When a victim clicks the embedded link inside the phishing notification, they are redirected to a counterfeit login page designed to look exactly like Meta’s official interface.

These fake pages are usually hosted on external domains such as vercel.app, chosen to avoid immediate detection by security tools. Victims are then asked to enter their Meta credentials, business email address, and in some cases, a two-factor authentication (2FA) code.

The 2FA bypass is particularly alarming because it lets attackers seize full account control even when an extra layer of security is enabled. The stolen data is harvested in real time, giving the attacker immediate access before the victim notices anything is wrong.

Security experts strongly advise businesses and individuals to never click on links in emails, even when they appear to come from a trusted source like Meta — always navigate directly to the platform by typing the address into the browser.

Multi-factor authentication should be enabled, but users must remain cautious about entering verification codes on any page reached through an email link.

Organizations should regularly train employees to spot and question unexpected Meta Business notifications, particularly those asking for account verification or advertising program participation.

Businesses should also periodically review and audit all partner access within Meta Business Manager and immediately remove any unrecognized or unauthorized accounts.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.