In a recent and sophisticated cyberattack, a threat actor identified as UNC6395 exploited vulnerabilities in the Salesloft Drift application to gain unauthorized access to corporate Salesforce instances. This breach, occurring between August 8 and August 18, 2025, resulted in the exfiltration of sensitive data from multiple organizations.
Key Points:
1. Unauthorized Access via Compromised OAuth Tokens: UNC6395 utilized compromised OAuth tokens associated with the Salesloft Drift application to infiltrate Salesforce instances.
2. Targeted Extraction of Sensitive Credentials: The attacker harvested AWS access keys, Snowflake tokens, and passwords stored within Salesforce data.
3. Revocation of Drift Tokens and Credential Rotation: In response, all Drift tokens were revoked, and organizations are advised to rotate their credentials promptly.
Detailed Analysis:
This incident underscores the risks inherent in supply chain attacks, particularly those exploiting trusted relationships between primary platforms and third-party applications. By leveraging legitimate OAuth authentication mechanisms, UNC6395 was able to bypass conventional security controls, making detection and mitigation more challenging for the affected organizations.
Exploitation of OAuth Tokens:
The Google Threat Intelligence Group reported that UNC6395 employed compromised OAuth access and refresh tokens from the Salesloft Drift application to authenticate against targeted Salesforce instances. This method exploited the OAuth 2.0 authorization framework, which permits third-party applications to access Salesforce data without directly exposing user credentials.
Once access was secured, UNC6395 executed systematic SOQL (Salesforce Object Query Language) queries to enumerate and extract data from critical Salesforce objects, including Cases, Accounts, Users, and Opportunities. The actor demonstrated technical sophistication by running COUNT queries to assess data volumes before proceeding with data exfiltration.
Targeted Data and Credential Harvesting:
Salesloft indicated that the attacker specifically sought AWS access keys (identified by the prefix AKIA), passwords, Snowflake credentials, and other sensitive authentication materials stored within Salesforce custom fields and standard objects. Post-exfiltration analysis revealed that the actor searched the extracted data for patterns matching credential formats, suggesting a primary objective of credential harvesting rather than traditional data theft.
Mitigation Measures:
In response to the breach, Salesforce and Salesloft revoked all active OAuth tokens associated with the Drift application on August 20, 2025, effectively terminating the attack vector. The Drift application was subsequently removed from the Salesforce AppExchange pending a comprehensive security review.
Organizations utilizing the Salesloft Drift integration are urged to implement the following remediation measures:
– Review Event Monitoring Logs: Examine logs for suspicious UniqueQuery events and authentication anomalies associated with the Drift connected app.
– Scan for Exposed Secrets: Utilize tools like TruffleHog to scan Salesforce objects for exposed secrets, searching for patterns such as AKIA, snowflakecomputing[.]com, and generic credential references.
– Harden Connected App Permissions: Implement scope restrictions, IP address restrictions, and adhere to the principle of least privilege to limit access.
– Restrict API Permissions: Remove the API Enabled permission from user profiles and grant it selectively through Permission Sets to authorized personnel only.
– Optimize Session Timeout Configurations: Adjust session timeout settings to limit exposure windows for compromised credentials.
This incident highlights the critical importance of securing third-party integrations and the necessity for continuous monitoring of OAuth-enabled applications that have access to sensitive corporate data repositories.
