How the campaign bypassed inbox security filters
Huntress reported that cybercriminals used Facebook Messenger chatbots and email lures to deliver a phishing campaign that targeted Meta For Business users. The messages succeeded in passing security validation checks in many inboxes because they appeared to come from a legitimate Facebook Business email account, allowing them to reach recipients who would otherwise ignore unfamiliar senders.
The phishing email promised account verification — a verified badge offered to “protect” a brand — but the lure was false. Huntress noted the scam asked recipients to log in on a phishing page and to enter multi-factor authentication (MFA) tokens, a step that handed attackers both primary credentials and the MFA codes intended to protect them.
The hijacked chatbot labeled “AI Strategic Partner”
Further malicious activity used a Messenger chatbot run through a fraudulent account named AI Strategic Partner. Interaction with that chatbot directed users to a phishing page under attacker control. On that page, victims were prompted to submit a username and password, undergo a second phony MFA check, and then to upload an image of a passport, driver’s license, or national ID card to “verify” their identity.
Huntress described the chatbot as an integrated element of the scam, turning the conversational medium of Messenger into a routing mechanism to a credential-harvesting web form.
Data sought and the intended abuses
The attackers’ objective went well beyond a single login. Huntress reported the campaign aimed to steal passwords, MFA codes, business and personal phone numbers, email addresses, and government ID images. Uploading a photo of an ID or passport would provide attackers with detailed personal information suitable for fraud and further social-engineering attacks.
Huntress summarized the potential commercial harms. “Threat actors can leverage Meta business accounts to spend the victim's money on malicious or scam advertising, or they can take over the account entirely, changing the recovery methods and password, and leverage the account to transmit more targeted attacks at the business' customers or social media followers,” Andrew Brandt said.
Timeline: November 2025 to June 2026 and Meta’s intervention
According to Huntress, the illicit campaign began in or around November 2025 and continued through June 2026. In June, Meta took action to prevent the attackers from exploiting the infrastructure the campaign relied upon. Huntress published details of the operation in a blog post on July 7.
Even after disruption, Huntress stressed that the nature of Facebook accounts — particularly business accounts used for advertising and customer engagement — makes them ongoing targets for phishing and account-takeover efforts.
What this means for affected enterprises, technologists, and end users
- Affected enterprises and procurement leaders: Business pages and advertising accounts are attractive targets because attackers can monetize access directly by running fraudulent ads or indirectly by abusing customer relationships. Organizations should assume a takeover can result in both direct financial loss and reputational or customer-impacting activity.
- Technologists and security teams: The campaign illustrates that email source appearance and inbox validation are not foolproof; malicious actors can craft messages that resemble legitimate Facebook Business emails and route victims via chatbots to phishing pages. Teams should examine how chat channels integrate with external links and prioritize detection where authentication appears intact but message content contains subtle errors.
- End users and business account managers: Huntress highlighted practical indicators of fraud: spelling and grammatical errors, broken graphics, unfamiliar links, and offers that deviate from known procedures — for example, a free verification offer when the real verification process is a paid subscription begun inside the Facebook ecosystem, not via email. Brandt’s advice in the Huntress post was blunt: if a message seems “not-quite-right, or unexpected, just trash that message.”
Meta’s intervention interrupted this campaign, but the episode underscores a persistent problem: social platforms and associated business services are high-value targets for phishing that combines email, chatbots, and credential-harvesting pages. Huntress’s findings show attackers exploiting both technical gaps and human trust — posing as routine service providers and asking for exactly the pieces of information that enable account takeover and fraud.
Read the original Huntress account at Infosecurity Magazine: https://www.infosecurity-magazine.com/news/phishing-facebook-fake-verification/




