The Federal Bureau of Investigation (FBI) has disseminated indicators of compromise (IoCs) linked to two significant cyber intrusion campaigns targeting Salesforce customers. These campaigns, orchestrated by threat actors identified as UNC6040 and UNC6395, have led to substantial data breaches and subsequent extortion attempts.
UNC6040’s Voice Phishing Campaign
UNC6040 has been active for several months, employing sophisticated voice phishing (vishing) techniques to infiltrate organizations’ Salesforce environments. The attackers impersonate IT support personnel, contacting employees via phone calls to manipulate them into granting unauthorized access to Salesforce portals or divulging login credentials.
In certain instances, the attackers instruct employees to approve a tampered version of the Salesforce Data Loader application. This malicious variant enables the extraction of vast amounts of data stored within the Salesforce instance. The FBI’s alert highlights that UNC6040 utilizes phishing panels, directing victims to access them from mobile devices or work computers during these deceptive calls. Once access is secured, the attackers execute API queries to exfiltrate large datasets.
Following the data theft, UNC6040 issues extortion demands to the victim organizations, threatening to publicly disclose the stolen information unless a ransom is paid in cryptocurrency. Salesforce had previously cautioned about such attacks in March. By June, Google’s Threat Intelligence Group observed that UNC6040 had expanded its operations, moving laterally to compromise other platforms, including Microsoft 365, Okta, and Workplace.
Notably, UNC6040 has claimed affiliation with the notorious ShinyHunters extortion group, which is believed to have connections with the Scattered Spider hackers.
UNC6395’s Exploitation of Salesforce-Salesloft Integration
The second campaign involves UNC6395, which orchestrated a widespread data theft operation affecting over 700 organizations through the integration between Salesforce and the Drift AI chatbot, developed by Salesloft. This campaign, active between August 8 and August 18, 2025, exploited compromised OAuth tokens associated with the Drift application to access and exfiltrate data from corporate Salesforce instances.
The attackers systematically exported large volumes of data, primarily aiming to harvest credentials. They searched for sensitive information such as AWS access keys, passwords, and Snowflake-related access tokens. Google’s Threat Intelligence Group attributed this campaign to UNC6395, noting that the threat actor used automated tools to facilitate the data theft process across targeted organizations.
Salesloft responded by revoking the compromised tokens and advising customers to re-authenticate their Drift-Salesforce connections. The company also shared IoCs to assist organizations in identifying potential compromises. Salesloft emphasized that only organizations integrating Drift with Salesforce were affected and has been collaborating with Salesforce and third-party partners to restore integrations securely.
Recommendations for Organizations
In light of these campaigns, the FBI recommends that organizations:
– Educate Employees: Conduct regular training sessions to raise awareness about social engineering tactics, emphasizing the importance of verifying unsolicited requests for credentials or access.
– Implement Multi-Factor Authentication (MFA): Enforce MFA across all platforms to add an extra layer of security against unauthorized access.
– Monitor for Suspicious Activity: Utilize security tools to detect unusual behavior, such as unexpected data exports or unauthorized application approvals.
– Review Third-Party Integrations: Regularly assess and audit third-party applications connected to critical systems to ensure they do not introduce vulnerabilities.
– Develop Incident Response Plans: Establish and regularly update incident response protocols to swiftly address potential breaches and mitigate damage.
By adopting these measures, organizations can enhance their resilience against sophisticated cyber threats targeting Salesforce environments and other critical systems.
