[r1ch]

Meta had(has?) a similar bug with one of their business manager features, the attacker has complete control of the initial body text which makes it highly convincing.

Trying to report this was an exercise in futility, I guess they get so much beg bounty spam that their security submission process filters out the occasional legitimate issue.

[enkrs]

I've been receiving these for so long I started thinking it must be just me being targeted and not widespread, as Meta seems to not do anything about it.

Emails comming legitimeley from noreply@business.facebook.com with the text below. Go and decypher which part is Meta template and which is creative use of user supplied text...

  Your Meta's Page may be at risk due to unusual
  activity is not part of or affiliated with
  Meta. Only approve requests and invitations from
  people and businesses that you know and trust.
  Meta will never ask for passwords, payment
  information or personal details in an email. You've
  received a partner request. Partners are other
  businesses that you work with on Facebook. Partner
  sharing lets you give access to your business assets,
  but not to your business portfolio. This request is
  from:

  Your Page is under restriction review Contact Meta
  Support: metafanpageviolate@gmail.com Protect yourself
  from fraud: Verify the identity of the requester by
  contacting the business using official contact information.