{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/instagram/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Meta Business Account Manager Service","Facebook","Instagram","Facebook Messenger","Google Sites"],"_cs_severities":["high"],"_cs_tags":["phishing","credential-theft","cloud","email-security"],"_cs_type":"advisory","_cs_vendors":["Meta","Google","Telegram"],"content_html":"\u003cp\u003eSince late 2025, an unknown threat actor group has been executing an evolving phishing campaign primarily targeting businesses that utilize Meta platforms. The attackers ingeniously abuse Meta's legitimate Business Account Manager service to dispatch initial lure emails, which deceptively originate from the trusted address \u003ccode\u003enoreply@business.facebook.com\u003c/code\u003e, bypassing traditional email validation mechanisms. The campaign, which intensified in June 2026 with new infrastructure, directs victims via embedded URLs (frequently Google Sites pages such as \u003ccode\u003esites.google[.]com/view/profile1012\u003c/code\u003e) to sophisticated phishing pages (e.g., \u003ccode\u003eaussiecleaningservices[.]com\u003c/code\u003e, \u003ccode\u003ebusinesshelpcenterpageid563252.netlify[.]app\u003c/code\u003e). These pages are meticulously crafted to impersonate Meta's interfaces, aiming to harvest sensitive information including Meta account credentials, multi-factor authentication (MFA) codes, business and personal phone numbers, email addresses, and even images of government-issued IDs or passports. Stolen data is then exfiltrated to attacker-controlled domains like \u003ccode\u003eapi.goautolink[.]com\u003c/code\u003e or private Telegram channels, marking a significant credential theft and data exfiltration operation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access / Lure Construction:\u003c/strong\u003e Threat actors abuse Meta's Business Account Manager service to send phishing emails that appear to originate from the legitimate address \u003ccode\u003enoreply@business.facebook.com\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDelivery:\u003c/strong\u003e These carefully crafted emails are sent to targeted businesses, containing a malicious URL embedded within the email text.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRedirection:\u003c/strong\u003e The malicious URL initially points to a Google Sites page (e.g., \u003ccode\u003esites.google[.]com/view/profile1012\u003c/code\u003e), acting as an intermediate redirector to evade immediate detection.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePhishing Page Hosting:\u003c/strong\u003e Victims are then redirected from the Google Sites page to sophisticated phishing landing pages, often hosted on services like Netlify (e.g., \u003ccode\u003ebusinesshelpcenterpageid563252.netlify[.]app\u003c/code\u003e) or attacker-controlled domains (e.g., \u003ccode\u003eaussiecleaningservices[.]com\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential \u0026amp; Data Collection:\u003c/strong\u003e The phishing pages are designed to mimic legitimate Meta interfaces, prompting victims to enter Meta account credentials, MFA codes, business and personal phone numbers, email addresses, and in some cases, an image of their ID or passport.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExfiltration:\u003c/strong\u003e Stolen credentials and personal data are then exfiltrated to attacker-controlled infrastructure, such as \u003ccode\u003eapi.goautolink[.]com\u003c/code\u003e, or directly sent to private Telegram channels for collection.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEvolving Tactics:\u003c/strong\u003e Newer variants of the attack incorporate a chatbot accessible via Facebook Messenger, which the phishing lure directs users to interact with, indicating continuous refinement of the social engineering tactics.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe primary impact of this campaign is the widespread compromise of Meta Business accounts through credential and MFA code theft. Successful attacks lead to unauthorized access to critical business assets on Facebook and Instagram, potential financial fraud, and further exploitation through business email compromise (BEC). The collection of personal phone numbers, email addresses, and identification documents exposes victims to identity theft and further targeted social engineering. The campaign targets businesses, making the potential for financial and reputational damage significant if attackers gain control of their social media presence or leverage stolen data for broader organizational access.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eBlock the IOC domains: \u003ccode\u003eaussiecleaningservices[.]com\u003c/code\u003e, \u003ccode\u003eapi.goautolink[.]com\u003c/code\u003e, \u003ccode\u003esw[.]run\u003c/code\u003e, \u003ccode\u003ebusinesshelpcenterpageid563252.netlify[.]app\u003c/code\u003e at your organization's DNS resolvers and web proxies.\u003c/li\u003e\n\u003cli\u003eBlock the IOC URL \u003ccode\u003esites.google[.]com/view/profile1012\u003c/code\u003e at your web proxies and network firewalls.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect Access to Known Meta Phishing Domains\u0026quot; to your SIEM and configure alerts for detected access attempts.\u003c/li\u003e\n\u003cli\u003eImplement robust email security controls to identify and flag suspicious URLs, even those originating from seemingly legitimate senders like \u003ccode\u003enoreply@business.facebook.com\u003c/code\u003e, especially when they link to external redirection services.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-09T20:28:12Z","date_published":"2026-07-09T20:28:12Z","id":"https://feed.craftedsignal.io/briefs/2026-07-meta-phishing/","summary":"A threat actor group is actively conducting a phishing campaign since November 2025, abusing Meta's legitimate Business Account Manager service to send emails from noreply@business.facebook.com containing malicious Google Sites URLs that redirect to sophisticated phishing pages, ultimately aiming to steal Meta account credentials, MFA codes, personal and business contact information, and identification documents from targeted businesses, with recent evolutions including a Facebook Messenger chatbot and exfiltration to Telegram.","title":"Meta Business Manager Phishing Campaign Leveraging Legitimate Services","url":"https://feed.craftedsignal.io/briefs/2026-07-meta-phishing/"}],"language":"en","title":"CraftedSignal Threat Feed - Instagram","version":"https://jsonfeed.org/version/1.1"}