A few weeks ago, we wrote about how threat actors are using the Facebook Ad Manager to send credential harvesting links.

A few weeks later, and the campaign continues apace.

In this attack brief, researchers at Avanan, a Check Point Software Company, will discuss how hackers have continued to leverage Facebook’s legitimacy to get into the inbox and steal credentials. 


In this attack, hackers are using Facebook forms to create credential harvesting pages.

  • Vector: Email
  • Type: Credential Harvesting
  • Techniques: Social Engineering, Static Expressway
  • Target: Any end-user

Email Example #1

This email is similar to the ones we wrote about a few weeks ago. A user of Facebook Ads gets an email that they have violated the Terms of Service. In order to avoid losing permanent access to your account, you have to click on the link provided to launch an appeal. Note the call to urgency–if you don’t use the form within 24 hours, your account might be disabled anyway. Also notice that the sender address is an Outlook address; not at all from Facebook.


How do you get into the inbox? And once there, how do you get users to click?

Your email needs to appear as legitimate as possible. A great way to do that is to actually leverage a legitimate site; use a link from a site that security systems trust, and send your email directly from their services.

Then, your email needs to appear urgent, important and potentially damaging. This email claims that, unless you act within 24 hours, your Facebook Ads account will be disabled. That’ll get someone’s attention. 

That’s why we see a dramatic influx in emails that use legitimate services. We’ve been writing about it for over a year, and it doesn’t seem to be slowing down. The Static Expressway, as we call it, is the umbrella term for this tactic. Hop on the back of a legitimate service that static Allow Lists have deemed to be “good” and watch as you sail through to the inbox. 

Once there, hackers have an advantage. Using legitimate sites will appear as a legitimate email. End-users are used to getting emails from Facebook. It’s not out of the ordinary. If they use Facebook Ads Manager, even better.

That’s why there doesn’t seem to be a shortage of these types of emails. Whether they piggyback off of PayPal, AWS, QuickBooks or others, there is an abundance of legitimate sites to choose from. That creates endless opportunities for hackers to exploit. 

Avanan notified Facebook of these findings and will update this blog with any additional information. 

Best Practices: Guidance and Recommendations

To guard against these attacks, security professionals can do the following:

  • Always check reply-to addresses to make sure they match
  • Be sure to pay attention to grammar, spelling and factual inconsistencies within an email
  • If ever unsure about an email, ask the original sender