Phishers Abuse Business Account Manager Service
Between November 2025 and June 2026, an unknown threat actor exploited Meta's Business Account Manager service to send phishing emails appearing to come from legitimate Meta addresses. The attackers abused the business partner mechanism by embedding URLs in the business name field, making phishing emails look authentic. The campaign advanced to use Facebook Messenger chatbots and exfiltrated stolen credentials, MFA codes, phone numbers, and identity documents to a private Telegram channel. The phishing pages impersonated Meta's Agency Partner Program and Verified badge services, targeting businesses to steal account credentials. Meta responded by implementing detection measures and blocking accounts attempting to use URLs in business names. Vietnamese language elements in the exfiltration process suggest a possible origin of the attackers. No affected software versions or CVEs are identified.
AI Analysis
Technical Summary
This campaign involved abuse of Meta's Business Account Manager service to send phishing emails from legitimate Meta addresses by manipulating the business partner mechanism, specifically embedding URLs in the business name field. This manipulation caused phishing emails to appear as authentic Meta communications. The threat actor evolved the campaign to include Facebook Messenger chatbots for interaction and exfiltrated sensitive data such as credentials, MFA codes, phone numbers, and identity documents to a private Telegram channel. The phishing pages impersonated official Meta services targeting businesses to capture account credentials. Meta mitigated the threat by detecting and blocking accounts that attempted to use URLs in business names. The presence of Vietnamese language elements in the exfiltration process suggests the attackers may be Vietnamese. There is no indication of a software vulnerability or patch; this is an abuse of legitimate service features.
Potential Impact
The campaign resulted in credential theft, including multi-factor authentication codes, phone numbers, and identity documents, potentially enabling account takeover and identity fraud. The phishing emails originated from legitimate Meta addresses, increasing their credibility and likelihood of success. The use of Facebook Messenger chatbots and Telegram channels for exfiltration indicates a sophisticated and multi-channel attack. The impact is primarily on businesses targeted for credential compromise and identity theft. No direct software or service vulnerability exploitation is reported.
Mitigation Recommendations
Meta has implemented detection mechanisms and blocked accounts attempting to use URLs in business names to prevent this abuse. Organizations should be aware of phishing attempts that appear to come from legitimate Meta addresses and verify communications independently. Since this is an abuse of service features rather than a software vulnerability, no patch is applicable. Users should remain vigilant against phishing and report suspicious Meta communications. Follow Meta's official guidance and updates for any further mitigation steps.
Indicators of Compromise
- url: https://sw.run/Verification
- domain: aussiecleaningservices.com
- domain: api.goautolink.com
Phishers Abuse Business Account Manager Service
Description
Between November 2025 and June 2026, an unknown threat actor exploited Meta's Business Account Manager service to send phishing emails appearing to come from legitimate Meta addresses. The attackers abused the business partner mechanism by embedding URLs in the business name field, making phishing emails look authentic. The campaign advanced to use Facebook Messenger chatbots and exfiltrated stolen credentials, MFA codes, phone numbers, and identity documents to a private Telegram channel. The phishing pages impersonated Meta's Agency Partner Program and Verified badge services, targeting businesses to steal account credentials. Meta responded by implementing detection measures and blocking accounts attempting to use URLs in business names. Vietnamese language elements in the exfiltration process suggest a possible origin of the attackers. No affected software versions or CVEs are identified.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This campaign involved abuse of Meta's Business Account Manager service to send phishing emails from legitimate Meta addresses by manipulating the business partner mechanism, specifically embedding URLs in the business name field. This manipulation caused phishing emails to appear as authentic Meta communications. The threat actor evolved the campaign to include Facebook Messenger chatbots for interaction and exfiltrated sensitive data such as credentials, MFA codes, phone numbers, and identity documents to a private Telegram channel. The phishing pages impersonated official Meta services targeting businesses to capture account credentials. Meta mitigated the threat by detecting and blocking accounts that attempted to use URLs in business names. The presence of Vietnamese language elements in the exfiltration process suggests the attackers may be Vietnamese. There is no indication of a software vulnerability or patch; this is an abuse of legitimate service features.
Potential Impact
The campaign resulted in credential theft, including multi-factor authentication codes, phone numbers, and identity documents, potentially enabling account takeover and identity fraud. The phishing emails originated from legitimate Meta addresses, increasing their credibility and likelihood of success. The use of Facebook Messenger chatbots and Telegram channels for exfiltration indicates a sophisticated and multi-channel attack. The impact is primarily on businesses targeted for credential compromise and identity theft. No direct software or service vulnerability exploitation is reported.
Mitigation Recommendations
Meta has implemented detection mechanisms and blocked accounts attempting to use URLs in business names to prevent this abuse. Organizations should be aware of phishing attempts that appear to come from legitimate Meta addresses and verify communications independently. Since this is an abuse of service features rather than a software vulnerability, no patch is applicable. Users should remain vigilant against phishing and report suspicious Meta communications. Follow Meta's official guidance and updates for any further mitigation steps.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.huntress.com/blog/meta-business-manager-phishing"]
- Adversary
- null
- Pulse Id
- 6a4d09f2b48d42a59af0ffa3
- Threat Score
- null
Indicators of Compromise
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://sw.run/Verification | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainaussiecleaningservices.com | — | |
domainapi.goautolink.com | — |
Threat ID: 6a4f86cf68715ace433d7166
Added to database: 07/09/2026, 11:32:31 UTC
Last enriched: 07/09/2026, 11:47:40 UTC
Last updated: 07/10/2026, 01:44:02 UTC
Views: 11
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.