Phishing Campaign Exploits Meta Business Suite to Target SMBs

With more than 5.4 billion users worldwide, Facebook remains a dominant social networking platform and a crucial marketing tool for small and medium-sized businesses (SMBs). 

However, its global reach and reputation also make it an ideal vector for cybercriminals. 

According to Check Point researchers, a large-scale phishing campaign is abusing Facebook’s Business Suite and facebookmail[.]com infrastructure to distribute highly convincing fraudulent notifications.

Fake Meta Pages Used to Send Authentic-Looking Phishing Invites

The researchers found that attackers created fake Facebook Business pages designed to look nearly identical to legitimate Meta properties. 

Once set up, they used Facebook’s Business Invitation feature to send phishing emails that appeared authentic because they originated from the legitimate facebookmail[.]com domain. 

This exploitation of a trusted sender address allows attackers to bypass traditional security filters and deceive even vigilant users.

The emails mimic real Facebook notifications with urgent subject lines such as “Account Verification Required” or “Meta Agency Partner Invitation.” 

Each message contains a malicious link disguised as an official Meta redirect. When clicked, victims are sent to phishing pages hosted on vercel[.]app domains, where attackers steal Facebook Business credentials and other sensitive information.

To validate this tactic, Check Point researchers conducted a controlled test. They created a fake Facebook Business page, added Meta-style branding, and used the platform’s built-in invitation function to send test notifications. 

The result confirmed that Facebook’s infrastructure could indeed be exploited to deliver phishing content that appeared completely legitimate.

Over 40,000 Phishing Emails Target SMBs Using Meta Tools

According to Check Point’s telemetry, more than 40,000 phishing emails were distributed to over 5,000 organizations across North America, Europe, and the Asia-Pacific region. 

While most businesses received fewer than 300 emails, one organization alone was hit with more than 4,200 messages.

The campaign primarily targeted small and mid-sized businesses — industries such as automotive, real estate, hospitality, education, and finance — where teams depend heavily on Meta tools for advertising and customer engagement. 

Because employees in these sectors are accustomed to receiving legitimate “Meta Business” notifications, the fraudulent messages easily blend in, increasing the likelihood of compromise.

The attack design reflects a template-based, mass phishing campaign, prioritizing broad distribution over precision targeting. 

Still, the use of Facebook’s legitimate domain made these emails significantly more dangerous than typical spam.

When Trusted Domains Become Attack Vectors

This campaign illustrates how attackers are shifting tactics from creating spoofed domains to abusing legitimate services. 

By sending phishing messages from within Meta’s verified systems, threat actors gain credibility by default — essentially weaponizing the trust users already have in major platforms.

The approach exposes a major blind spot in many corporate defenses. Traditional email filters often rely on domain reputation and authentication checks such as SPF and DKIM. 

Because the phishing messages were sent from a verified Meta domain, these safeguards were ineffective.

The findings also raise broader questions about platform accountability. 

If threat actors can manipulate legitimate tools like Meta Business Suite to distribute phishing emails, it highlights the need for major tech providers to strengthen internal safeguards and abuse-prevention mechanisms.

Building Stronger Defenses Against Phishing Attacks

To defend against phishing campaigns that exploit trusted platforms, organizations must adopt a proactive, layered approach to security.

• Educate users through regular training and phishing simulations to help them recognize deceptive messages, even those appearing to come from trusted domains.
• Implement advanced, AI-driven email security and detection tools capable of identifying suspicious behavior and abnormal message patterns.
• Enable multi-factor authentication (MFA) and enforce least privilege and conditional access policies to limit account compromise risk.
• Verify URLs, sender details, and embedded links before taking action, and access Meta Business accounts directly through official websites.
• Strengthen email and domain security by enforcing DMARC, DKIM, and SPF policies, and flag external messages to improve user awareness.
• Establish clear reporting and incident response (IR) procedures, monitor for unusual login activity, and maintain backups and recovery plans for compromised accounts.

These measures build the foundation for long-term cyber resilience.

This campaign represents more than another wave of phishing — it signals a growing trend of attackers exploiting trusted platforms to evade detection. 

This shift underscores the need for zero-trust tools that help verify every user, device, and connection — regardless of how legitimate they might appear.