FBI Report: Salesforce Data Breaches by UNC6040 & UNC6395 Using Voice Phishing and OAuth Exploits

Cybercriminal organizations have launched sophisticated attacks against Salesforce platforms, compromising sensitive customer data across multiple industries through voice phishing campaigns and exploited third-party integrations. The Federal Bureau of Investigation recently issued a critical security alert detailing how two distinct threat groups—UNC6040 and UNC6395—have successfully infiltrated numerous Salesforce instances, stealing vast amounts of personal and corporate information.

These attacks represent a concerning evolution in cybercriminal tactics, specifically targeting cloud-based Customer Relationship Management (CRM) systems that contain treasure troves of customer data, financial records, and business intelligence. Organizations worldwide are now scrambling to assess their vulnerability to these increasingly sophisticated social engineering schemes.

The UNC6040 Voice Phishing Campaign: When IT Support Calls Turn Malicious

Since October 2024, the UNC6040 cybercriminal group has perfected a particularly insidious form of social engineering that exploits human psychology and organizational trust structures. Their primary weapon? Voice phishing, or “vishing,” campaigns that target customer service representatives and IT help desk personnel.

The attack methodology follows a predictable yet devastatingly effective pattern. Cybercriminals contact organizational call centers, impersonating internal IT support staff responding to supposed enterprise-wide connectivity problems. These fraudulent calls create artificial urgency, with attackers claiming they need immediate assistance to resolve critical technical issues affecting company operations.

During these conversations, threat actors guide unsuspecting employees through processes that ultimately grant unauthorized access to Salesforce environments. The psychological manipulation extends beyond simple credential theft—attackers often request multifactor authentication codes directly, then use this access to install malicious applications within the targeted Salesforce instance.

OAuth Token Manipulation and Connected App Exploitation

Perhaps most concerning is UNC6040’s sophisticated understanding of Salesforce’s OAuth authentication system. The group has weaponized the platform’s legitimate third-party integration capabilities by tricking employees into authorizing malicious “connected apps”—fraudulent applications that appear to be legitimate business tools.

These malicious applications frequently masquerade as modified versions of Salesforce’s own Data Loader tool. During vishing calls, attackers direct victims to visit specific Salesforce URLs, including the connected app setup page at login.salesforce.com/setup/connect, where employees unknowingly approve access for malicious applications.

Once authorized, these connected apps provide cybercriminals with extensive capabilities to query databases, access sensitive information, and exfiltrate massive volumes of customer data. The OAuth tokens issued by Salesforce itself make this activity appear legitimate to security monitoring systems, effectively bypassing traditional defense mechanisms including multifactor authentication, password reset protocols, and login monitoring solutions.

Data Exfiltration Techniques and ShinyHunters Connection

Following successful system compromise, UNC6040 operators deploy API queries to systematically extract large volumes of data in bulk operations. This approach allows threat actors to harvest customer databases, financial records, personal identifying information, and proprietary business data with remarkable efficiency.

The cybercriminal operation extends beyond simple data theft. Victims subsequently receive extortion demands allegedly from the ShinyHunters ransomware group, demanding cryptocurrency payments to prevent public disclosure of stolen information. These extortion timelines vary significantly, with some organizations receiving demands within days of the initial breach, while others face threats months after the original compromise.

This delayed extortion model suggests sophisticated operational security practices, with threat actors potentially maintaining long-term access to compromised systems while building comprehensive intelligence profiles of targeted organizations.

UNC6395: Exploiting Third-Party Integration Vulnerabilities

The second threat group, UNC6395, demonstrates how cybercriminals adapt their tactics to exploit emerging vulnerabilities in cloud-based business ecosystems. Rather than relying on social engineering, this group focused on compromising legitimate third-party integrations that organizations commonly use to enhance their Salesforce functionality.

In August 2025, UNC6395 successfully exploited compromised OAuth tokens associated with the Salesloft Drift application, an artificial intelligence-powered chatbot system integrated with numerous Salesforce instances. By compromising these authentication tokens, threat actors gained unauthorized access to customer data across multiple organizations simultaneously.

The scope of this compromise prompted immediate action from both Salesloft and Salesforce. On August 20, 2025, both companies collaborated to revoke all active access and refresh tokens associated with the Drift application, effectively terminating threat actor access across affected systems.

Technical Indicators and Infrastructure Analysis

Cybersecurity researchers have identified extensive technical indicators associated with both threat groups, providing critical intelligence for defensive operations. UNC6040 operations utilize a distributed infrastructure spanning multiple IP address ranges, including cloud hosting providers and compromised systems across various geographic regions.

The group’s technical infrastructure includes over 80 distinct IP addresses across multiple hosting providers, including Microsoft Azure, Google Cloud Platform, and various European hosting services. This distributed approach complicates attribution efforts and demonstrates sophisticated operational security practices.

UNC6395 operations, while more limited in scope, utilized approximately 20 IP addresses primarily concentrated in European hosting environments. Both groups employed custom user-agent strings, including “Salesforce-Multi-Org-Fetcher/1.0” and “Salesforce-CLI/1.0,” designed to blend malicious traffic with legitimate Salesforce API activity.

Defensive Strategies and Risk Mitigation

Organizations must implement comprehensive security measures addressing both technical vulnerabilities and human factors that enable these attacks. Employee training programs should specifically address voice phishing techniques, emphasizing verification procedures for any requests involving system access or credential sharing.

Technical defenses should focus on implementing phishing-resistant multifactor authentication across all cloud services, particularly for administrative accounts with elevated Salesforce privileges. Organizations should also establish robust authentication, authorization, and accounting systems that limit user actions based on the principle of least privilege.

Network monitoring capabilities must extend to API usage patterns, with security teams actively searching for unusual query patterns or bulk data extraction activities that might indicate ongoing compromise. Browser session monitoring and network log analysis should specifically focus on identifying indicators of data exfiltration.

Regular third-party integration reviews represent another critical security measure. Organizations should systematically evaluate all connected applications, rotating API keys, credentials, and authentication tokens on a regular schedule to limit the window of opportunity for compromised integrations.

Industry Impact and Future Threat Evolution

These sophisticated attacks against Salesforce platforms highlight the evolving threat landscape facing cloud-based business applications. As organizations increasingly rely on Software-as-a-Service platforms for critical business functions, cybercriminals are adapting their tactics to exploit the unique vulnerabilities present in cloud environments.

The success of both UNC6040 and UNC6395 suggests that future attacks will likely focus on exploiting trust relationships between organizations and their technology vendors. Social engineering campaigns will continue evolving to exploit organizational hierarchies and established business processes, while technical attacks will increasingly target third-party integrations and OAuth authentication systems.

Security professionals must recognize that traditional perimeter-based security models are insufficient for protecting cloud-based business applications. Defense strategies must address the human elements of cybersecurity while implementing technical controls that can detect and respond to sophisticated API-based attacks.

The emergence of these threat groups represents a concerning trend toward specialization within cybercriminal organizations. Rather than pursuing opportunistic attacks against vulnerable systems, these groups demonstrate deep understanding of specific platforms and business processes, enabling them to conduct highly targeted campaigns with significant success rates.

Organizations utilizing Salesforce or similar cloud-based CRM systems should immediately assess their vulnerability to these attack vectors, implementing comprehensive security measures that address both technical and human factors in their security posture.

Source: FBI