Google’s Threat Intelligence team has identified a surge in social engineering attacks targeting multinational corporations through their Salesforce platforms. The threat actor, UNC6040, impersonates IT support via phone calls (vishing) to trick employees into granting access to malicious Salesforce Data Loader apps. This campaign, linked to the cybercrime collective *The Com*, has compromised approximately 20 organizations across education, hospitality, and retail sectors in the Americas and Europe1.
Attack Methodology and Exploited Vulnerabilities
UNC6040’s campaign abuses Salesforce’s OAuth-connected apps to exfiltrate sensitive data, including CRM records, contacts, and order details. After initial access, attackers pivot to Okta, Microsoft 365, and Workplace for lateral movement. The group falsely claims affiliation with *ShinyHunters* to pressure victims into paying extortion demands, often delayed by months to obscure attribution1, 2.
Recent breaches, such as the May 2025 Coca-Cola Europacific Partners incident, exposed 23 million records via compromised Salesforce CRM data. Attackers used similar tactics in the Samsung Germany breach, highlighting a broader trend of credential theft and OAuth abuse3.
Mitigation and Technical Controls
Salesforce’s February 2025 advisory mandates Multi-Factor Authentication (MFA) and IP restrictions for high-risk accounts. Organizations should audit connected apps, enforce least-privilege access, and monitor anomalies via Shield Event Monitoring. Disabling unused apps and restricting Data Loader access are critical to reducing attack surfaces4.
| Recommendation | Implementation |
|---|---|
| MFA Enforcement | Enable MFA for all Salesforce users, especially admins |
| IP Restrictions | Limit access to corporate IP ranges |
| Connected App Audits | Review OAuth permissions monthly |
Related Vulnerabilities and Trends
Salesforce phishing attacks increased by 109% in 2024, with attackers using obfuscated URLs and compromised domains (e.g., `[email protected]`). Tableau, a Salesforce subsidiary, faced critical vulnerabilities like Broken Row-Level Access Controls (CVSS 9.1) and Local File Inclusion in Flow Editor, patched in late 20245, 6.
Chatbot security risks, such as script poisoning and unencrypted chat logs, further complicate Salesforce ecosystems. Unsanitized inputs in chatbots can lead to SQL injection or credential hijacking, requiring input validation and encryption7.
Conclusion
The UNC6040 campaign underscores the need for layered defenses against social engineering and OAuth abuse. Proactive measures like employee training, MFA, and log monitoring can mitigate risks. Organizations should assume credential compromise post-breach and rotate keys immediately.
References
- Google Threat Intelligence, “Voice Phishing and Data Extortion,” 2025.
- CSO Online, “Salesforce OAuth Abuse Trends,” 2025.
- Cybernews, “Coca-Cola Europacific Partners Breach,” 2025.
- Salesforce Security Advisory, Feb 2025.
- Egress Report, “Salesforce Phishing Increase,” 2024.
- Tableau Security Advisory, Nov 2024.
- Quora, “Chatbot Security Risks,” 2025.
