Meta Business Manager phishing emails now come from Meta’s real mail domain
5 min. read 
Published on
A new phishing campaign is abusing Meta’s own Business Manager partner-request system to send convincing emails from facebookmail.com, a legitimate Meta-owned domain. That makes the messages far harder to block with normal email authentication checks because the delivery path itself is real, not spoofed.
The attack targets businesses that use Meta’s ad and page-management tools, especially companies that already expect account invites, access requests, and partner notifications. The sample you shared captures the core mechanic correctly: attackers create fake business identities, then use Meta’s legitimate partner workflow to generate trusted-looking emails.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
This matters because the phishing email can look authentic at first glance. It arrives through a real Meta communication channel, which lowers suspicion and increases the odds that a target will click through and enter account credentials or approve unwanted access.
How the Meta phishing trick works
Attackers first create fraudulent business pages or fake partner identities that resemble real brands, agencies, or Meta-related entities. They then use Meta Business Manager’s legitimate partner-request feature to send invitations to victims, which causes Meta’s systems to generate the email notification.
Because the email originates from facebookmail.com, many users assume it is safe. That trust creates the opening. Reports on similar campaigns show victims often get pushed toward counterfeit login pages hosted on third-party services rather than on Meta-owned domains.
Meta’s own help pages confirm that partner access and page-approval workflows are real platform features. That is what makes this technique effective. Attackers do not need to fake the initial email system when they can abuse a genuine workflow that businesses already use.
Why standard defenses may miss it
Traditional anti-phishing controls often focus on spoofed domains, failed SPF checks, or suspicious sender infrastructure. In this case, the email may pass those checks because the sender domain and delivery path belong to Meta.
That does not mean the attack is undetectable. It means defenders need to look beyond the sender address and inspect the context, the requested action, the landing page, and whether the business relationship actually exists. Meta itself warns users to avoid suspicious messages and phishing attempts even when a message appears to come from a familiar service.
The bigger risk sits after the click. If an employee enters credentials on a fake Meta login page, attackers may gain access to business assets, ad accounts, page permissions, and sensitive campaign controls. That can lead to ad fraud, account takeover, or abuse of trusted brand pages.
What attackers want after compromise
Once inside a Meta Business Manager account, attackers can change access permissions, add new partners, tamper with pages, and abuse advertising spend. Businesses that rely heavily on Meta ads face a higher operational risk because attackers can weaponize those accounts quickly.
This threat hits small and mid-sized businesses especially hard because they often receive genuine Meta access notifications as part of daily work. That makes fake requests easier to blend into normal activity. Similar Meta Business phishing campaigns documented in late 2025 used the same trust-based approach to target thousands of organizations.
The phishing pages themselves often sit on legitimate cloud-hosted infrastructure, which can delay detection and takedown. Public reporting on these campaigns specifically mentions vercel.app in some cases, which shows how attackers mix trusted email delivery with reputable hosting to improve their success rate.
Campaign snapshot
| Element | What is happening |
|---|---|
| Delivery | Real Meta-generated notification emails |
| Sender domain | facebookmail.com |
| Initial lure | Partner request or business access invite |
| Social engineering angle | Fake Meta partner, brand, or agency identity |
| Goal | Credential theft or unauthorized business access |
| Common landing pages | Fake Meta logins on third-party hosting |
The table reflects the technique described in the report you shared and in public reporting on the same tactic.
What businesses should do now
- Do not trust a Meta-related email just because it came from
facebookmail.com. Verify the request inside Meta Business Suite directly. - Check whether the sender, partner, or business relationship is real before clicking anything. Use the Partners and access sections in Meta Business settings instead of email links.
- Train staff to inspect the destination page, not just the email. A legitimate email can still lead to a fake login page.
- Review existing partner access and remove unknown agencies, users, or pages immediately.
- Require MFA, but remind employees never to enter MFA codes on pages reached through unexpected email prompts.
FAQ
The notification emails appear to be generated through a real Meta Business Manager workflow, which is why they can come from facebookmail.com. The phishing part happens when the request itself is malicious or when the user gets pushed to a fake login page.
They may pass because the messages originate from legitimate Meta infrastructure rather than from a spoofed domain. That weakens defenses that rely mainly on sender authentication.
Open Meta Business Suite directly in your browser, then check pending requests there. Do not click the email link first. Meta’s help resources show that partner requests and approvals can be reviewed inside the platform.
Reset the password, revoke suspicious partner access, review page and ad-account permissions, check billing activity, and rotate credentials for any connected business users. Also review security alerts inside Meta and your email account. This is an inference from Meta’s access model and standard account-recovery practice.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages