A new Google Cloud Threat Intelligence report has
revealed a sophisticated vishing campaign targeting
Salesforce environments, enabling large-scale data theft and
extortion. The operation, attributed to threat cluster
UNC6040, leverages modified versions of
Salesforce’s Data Loader and malicious connected apps to
compromise organisations—without exploiting any Salesforce
vulnerabilities.
According to Google, attackers
impersonate IT support on live calls, directing users to
approve unauthorised Data Loader apps via Salesforce’s
connected app interface. These apps, often disguised with
innocuous names like “My Ticket Portal,” grant direct
access to sensitive CRM data.
No legitimate Salesforce
systems are compromised in the attacks, the bad actors
exploit end-user trust to infiltrate other
systems.
Once initial access is secured, attackers use
harvested credentials to move laterally into platforms such
as Okta and Microsoft 365. In some cases, exfiltration went
undetected for months before extortion attempts
occurred—sometimes under the banner of groups like
ShinyHunters.
UNC6040’s infrastructure
included Okta phishing panels and commercial VPN services
such as Mullvad. The group’s techniques overlap with those
seen in campaigns linked to “The Com”, a loosely affiliated
cybercriminal collective.
GTIG advises defenders to
implement strict access controls, limit API privileges, and
use Salesforce Shield for anomaly detection. IP-based
restrictions and rigorous app allowlisting are also
critical, given the threat actors’ reliance on human
manipulation rather than technical exploits.
“This
campaign demonstrates how modern attackers exploit trust and
routine admin functions to bypass even hardened cloud
environments,” GTIG
noted.
Advertisement – scroll to continue reading