Potential new technique - SaaS Email Infrastructure Hijacking

[Techbrunch]

This issue proposes adding a new SaaS attack technique that exploits common email functionality in SaaS applications to conduct social engineering attacks. The technique leverages legitimate email features, particularly customizable email templates, to send convincing phishing emails or fraudulent communications that appear to originate from trusted SaaS platforms.

Technique Name

SaaS Email Infrastructure Hijacking

Description

Many SaaS applications include features that allow users to trigger email notifications to internal or external recipients. These features often include:

• Email notifications for sharing documents, invitations, or updates
• Customizable email templates with user-controlled content
• Automated email workflows and triggers
• Contact forms or messaging systems that generate emails

Attackers can abuse these legitimate features to conduct social engineering attacks by:

1. Crafting malicious content within email templates or message fields
2. Leveraging the SaaS platform's reputation and domain authority
3. Bypassing traditional email security controls that trust communications from legitimate SaaS providers
4. Creating convincing phishing campaigns that appear to originate from trusted business applications

Technical Details

Prerequisites

• Valid account on target SaaS platform
• Access to email functionality within the application
• Ability to customize email content (templates, messages, or subject lines)

Attack Vectors

1. Template Customization: Modifying email templates to include malicious links, credential harvesting forms, or social engineering content
2. Recipient Manipulation: Using legitimate email features to send to external recipients while controlling the message content
3. Domain Spoofing: Leveraging the SaaS platform's legitimate domain and infrastructure to bypass email security
4. Brand Impersonation: Crafting messages that appear to be official communications from the SaaS provider or organization

Example Attack Flow

1. Attacker gains access to SaaS application (through compromised credentials, social engineering, etc.)
2. Identifies email functionality that allows custom content
3. Crafts malicious email template or message content
4. Triggers email delivery to target recipients
5. Recipients receive emails from legitimate SaaS domain with malicious content
6. Victims are more likely to trust and interact with the content due to the legitimate sender

Real-World Example

The technique has been demonstrated in practice with Zendesk infrastructure being abused for phishing and pig butchering activities, as documented in this CloudSEK research. Attackers used Zendesk's email functionality to send convincing phishing emails that bypassed traditional email security measures.

References

• CloudSEK: Facilitating Phishing and Pig Butchering Activities Using Zendesk Infrastructure]

[Techbrunch]

Some other examples:

• "the phishers set up a Docusign account and then use the templates provided by Docusign to send out legitimate looking invoices from PayPal." - https://www.forbes.com/sites/daveywinder/2025/03/10/paypal-attack-warning-dangerous-gmail-invoice-bypasses-email-security/
• "PayPal invoice scam" - https://www.elliott.org/problem-solved/this-new-paypal-scam-almost-got-me-heres-how-to-spot-it/

[Techbrunch]

This could be mapped to Phishing: Spearphishing via Service - https://attack.mitre.org/techniques/T1566/003/