FBI Warns Salesforce Customers of Two Recent Intrusion Campaigns
- How the UNC6040 and UNC6395 Attacks Are Operating
- UNC6040: The Utilization of Vishing and Malicious Data Loading Tactics
- UNC6395: Token Abuse via Salesloft and Drift Integration
- Why These Targeted Salesforce Campaigns Pose a Risk
- "I Was Impacted by the Salesforce Cyber Breach. What Should My Team Do Now?"
- Broader Lessons for Technical Leaders and CISOs
- Conclusion
Would you like to learn more?
Download our Pentest Sourcing Guide to learn everything you need to know to successfully plan, scope, and execute your penetration testing projects.
The FBI has issued a FLASH alert for two ongoing cybercrime campaigns (tracked as UNC6040 and UNC6395), both focused on compromising Salesforce customer environments. The goal? To steal data and extort organizations.
Let's dive into what organizations can take away from this alert:
How the UNC6040 and UNC6395 Attacks Are Operating
The first step to prevention is understanding.
Our ethical hackers have summarized the tactics being leveraged throughout these recent cyberattacks:
UNC6040: The Utilization of Vishing and Malicious Data Loading Tactics
Threat actors are utilizing voice phishing (vishing) to trick employees into handing over credentials or approving specially modified Salesforce Data Loader applications.
In many cases, these attackers are impersonating internal IT support or use renaming tricks (for example, calling apps such as “My Ticket Portal”) to make malicious tools appear legitimate.
After gaining access, they then perform large-scale exfiltration using API queries. The stolen data is later used in extortion demands, when victims are pressured to pay to "prevent leaks to the Dark Web."
UNC6395: Token Abuse via Salesloft and Drift Integration
Between August 8th and 18th, 2025, UNC6395 used compromised OAuth (and refresh) tokens related to the Salesloft–Drift integration to access numerous Salesforce instances.
Once inside, they didn’t just grab contact lists—they hunted for “secrets” like AWS keys, Snowflake access tokens, passwords, and other sensitive credentials stored in Salesforce objects.
As such, many organizations affected had to revoke the compromised tokens, temporarily disable the Drift integration, and rotate credentials.
Why These Targeted Salesforce Campaigns Pose a Risk
The threat actors in question aren’t exploiting bugs in Salesforce itself; they’re exploiting trust relationships (OAuth, third-party apps, social engineering). That means even well-defended organizations can be blindsided.
With hundreds of organizations exposed via the UNC6395 Drift‐Salesloft campaign, there is a high likelihood that others may be affected but haven’t been publicly disclosed.
"I Was Impacted by the Salesforce Cyber Breach. What Should My Team Do Now?"
Initial steps your security, operations, and leadership teams can take to mitigate risks include, but are not limited to:
Area of Focus | Recommendations |
User Awareness and Social Engineering | Train employees, especially those with access to Salesforce or third-party integrations, to detect vishing and fraudulent support requests. Simulate voice phishing drills. |
Third-Party Integration Hygiene | Map all integrations (OAuth, API, third-party apps like Drift, Salesloft). Assess which ones have broad or elevated permissions. Remove or disable those you don’t need. |
Authentication and Access Controls | Enforce phishing-resistant MFA. Restrict login IP ranges for integrations. Use least privilege for connected apps. |
Monitoring and Logging | Monitor API usage, OAuth token usage, connected app activity. Set alerts for abnormal data export volumes or unusual login behavior. |
Incident Response Preparedness | Have a plan for expiring/revoking tokens, rotating credentials, and quickly isolating affected integrations. Practice response for SaaS‐integration attacks. |
Legal, Compliance, and Exec Communication | Be ready to notify stakeholders about data exposure. Plan for extortion scenarios. Keep leadership in the loop about risks from integrations, not only direct vulnerabilities. |
Broader Lessons for Technical Leaders and CISOs
SaaS is not always “secure by default.” Even if the platform is robust, the way you integrate and permit connectivity often introduces risk.
Trust relationships are attack vectors. OAuth tokens, third-party applications, and support privileges are low-hanging fruit for threat actors.
Defenses must include people and processes, not just software. Vishing, social engineering, and human trust are recurring weak points. Technology alone won’t solve them without user training, policies, and controls.
Security operations must include SaaS integration risk assessments. Regular audits of what third-party tools you allow, what permissions they have, and whether you truly monitor their behavior.
Recovery is not just about patching; it’s about disruption readiness. If tokens are compromised, teams require fast mitigation: token revocation, communication, internal and external reporting, and recovery procedures.
Conclusion
The FBI’s alert about UNC6040 and UNC6395 underscores a critical trend: attackers are increasingly targeting the connective tissue of SaaS ecosystems (namely OAuth, third-party apps, identity, and trust.) '
These campaigns demonstrate that your Salesforce environment might be secure in isolation, but vulnerabilities in integrations and human behaviors can lead to serious compromise.
For security leaders, the takeaway is clear: strengthen your third-party integration hygiene, train people for social engineering attacks, monitor your OAuth/App usage carefully, and be ready for rapid response when incidents happen.
At Packetlabs, we specialize in helping organizations build resilience... including SaaS-ecosystem defense, integration risk audits, and incident response planning. When your defenses cover not only your systems but also your trust relationships and people, you're better positioned to prevent (and contain) these emerging threats.
Contact Us
Speak with an Account Executive
Explore in-depth resources from our ethical hackers to assist you and your team’s cyber-related decisions.
September 13 - Blog
Why Multi-Factor Authentication is Not Enough
Knowing is half the battle, and the use and abuse of common frameworks shed insight into what defenders need to do to build defense in depth.
November 19 - Blog
The Top Cybersecurity Statistics for 2024
The top cybersecurity statistics for 2024 can help inform your organization's security strategies for 2025 and beyond. Learn more today.
October 24 - Blog
Packetlabs at SecTor 2024
Packetlabs is thrilled to have been a part of SecTor 2024. Learn more about our top takeaway's from this year's Black Hat event.
