UNC6395 Stealth Attack: How the Salesloft Drift Breach Shook Salesforce Users

In the spring and summer of 2025, a cunning cyber adversary, tracked as UNC6395, slipped through the digital defenses of Salesloft’s Drift platform, sending shockwaves through organizations relying on Salesforce and other integrations. This wasn’t just a breach—it was a wake-up call for companies navigating the complexities of cloud-based ecosystems. With insights from Mandiant and Google Threat Intelligence, we unravel the timeline, tactics, and critical steps to protect your business from similar threats.

A Slow Burn: The Breach Unfolds

The trouble began quietly in March 2025, when UNC6395 infiltrated Salesloft’s GitHub repositories. By June, the attackers were downloading sensitive code, adding rogue users, and laying the groundwork for malicious workflows. Their reconnaissance touched both Salesloft and Drift environments, but the core Salesloft platform showed no deep compromise. The real blow landed in August, when the threat actor exploited stolen OAuth tokens from Drift’s AWS infrastructure to plunder Salesforce instances.

From August 8 to at least August 18, 2025, UNC6395 systematically extracted data—accounts, opportunities, user profiles, and cases—using targeted SOQL queries. By August 9, they pivoted to the Drift Email integration, accessing a handful of Google Workspace emails tied to specific configurations. No broader Alphabet systems were hit, but the precision of the attack was chilling.

Salesloft, Salesforce, and Google moved decisively. On August 20, all active Drift tokens were revoked, and the app was pulled from the Salesforce AppExchange. By August 28, Mandiant’s investigation, engaged by Salesloft, revealed the breach’s broader scope, prompting Google to disable affected Workspace integrations. As of September 6, 2025, containment was confirmed, with forensic reviews ensuring no lingering threats.

Inside UNC6395’s Playbook

This wasn’t a smash-and-grab job. UNC6395 operated with surgical precision, harvesting credentials like AWS keys (starting with “AKIA”), Snowflake tokens, and passwords from exfiltrated data. They used SOQL queries to count records and pull detailed user and case data, deleting query jobs to cover their tracks—though audit logs preserved evidence.

Their infrastructure leaned on anonymity, routing traffic through Tor exit nodes and cloud providers like DigitalOcean and AWS. Spoofed user-agent strings, mimicking legitimate tools like “python-requests/2.32.4” and “Salesforce-Multi-Org-Fetcher/1.0,” added another layer of deception. This blend of sophistication and stealth made detection a challenge, but not impossible.

Spotting the Red Flags: Indicators of Compromise

To catch signs of compromise, focus on unauthorized traffic. Drift’s legitimate connections come from known IP ranges—anything else is suspect. Mandiant flagged a list of malicious IPs, including:

• 154.41.95.2
• 176.65.149.100
• 179.43.159.198
• 185.130.47.58
• 185.207.107.130
• 185.220.101.133 (and others in the 185.220.101.x range)
• 192.42.116.179
• 192.42.116.20
• 194.15.36.117
• 195.47.238.178
• 195.47.238.83
• 208.68.36.90
• 44.215.108.109

User-agent strings to watch include:

• python-requests/2.32.4
• Salesforce-Multi-Org-Fetcher/1.0
• Python/3.11 aiohttp/3.12.15
• Salesforce-CLI/1.0

Check logs for these markers and broaden searches to include Tor-related activity. Tools like TruffleHog can help uncover exposed secrets like AWS keys or custom login URLs.

Ripple Effects Across Industries

Initially pegged as a Salesforce-specific issue, the breach’s scope widened. The Drift Email integration exposed select Google Workspace accounts, though only those explicitly linked to Drift. The Salesloft platform itself remained untouched, but caution led to recommendations for password resets and token rotations.

The impact hit hard, with companies like Cloudflare, Palo Alto Networks, Zscaler, PagerDuty, and Sophos among the hundreds affected. This wasn’t just a Salesforce problem—it exposed the fragility of interconnected SaaS tools, turning third-party integrations into potential weak links.

Salesloft’s Response: Swift and Strategic

Salesloft didn’t sit idle. They isolated Drift’s infrastructure, took the app offline, and rotated compromised credentials. In the Salesloft environment, proactive threat hunts found no additional IOCs, and defenses were bolstered against the attacker’s known tactics. Mandiant’s intelligence-driven scans, coupled with event analysis, confirmed the incident’s containment by early September 2025. Salesforce and Google’s collaboration—revoking tokens and disabling integrations—further limited the damage.

The Salesloft Trust Portal and Salesforce advisories continue to provide real-time updates, keeping organizations informed as remediation progresses.

Locking Down Your Defenses

To shield against similar attacks, start with a thorough audit of Drift’s third-party integrations via its admin settings. In Salesforce, dive into event monitoring logs for unusual activity tied to Drift connections, focusing on authentication patterns and query logs. Use tools like TruffleHog to scan for sensitive data, such as AWS or Snowflake credentials.

Immediate actions include:

• Revoking and rotating all API keys, tokens, and passwords linked to Drift integrations.
• Resetting user account passwords.
• Tightening Salesforce session timeouts to limit compromised session lifespans.
• Restricting app scopes to the minimum necessary.
• Enforcing IP restrictions and defining trusted login ranges.
• Removing “API Enabled” permissions from profiles, granting them only via permission sets.

Cybersecurity experts stress that this breach highlights the growing threat of supply chain attacks in cloud ecosystems. Adopting zero-trust principles, regularly auditing third-party apps, and investing in real-time monitoring are non-negotiable for staying ahead of actors like UNC6395. As Mandiant’s findings suggest, proactive threat hunting and rapid response can turn a potential disaster into a manageable incident.