341/68 Monday, September 15, 2025
The U.S. Federal Bureau of Investigation (FBI) has issued a Flash Alert warning of ongoing cyberattacks by two groups, UNC6040 and UNC6395, which are increasingly targeting the Salesforce platform. The primary objective of these campaigns is to steal sensitive organizational data and conduct extortion. The alert also includes Indicators of Compromise (IoCs) for organizations to use in detection and defense.
Since early 2025, UNC6040 has been observed using vishing and social engineering techniques, impersonating IT support staff to trick employees-particularly call center personnel-into approving the connection of malicious applications, such as a tampered version of Salesforce Data Loader. Once access is granted, attackers exploit OAuth tokens to bypass multi-factor authentication (MFA) and extract large volumes of data via Salesforce APIs, later sending extortion emails under the names ShinyHunters or affiliates like Scattered Spider. Meanwhile, UNC6395 has employed a different approach, leveraging stolen OAuth tokens from the Salesloft Drift application to infiltrate Salesforce instances and conduct data exfiltration. This forced Salesloft to revoke all Drift tokens on August 20, 2025, to halt attacker access.
The FBI advises organizations using Salesforce and related systems to immediately strengthen their defenses. Recommended measures include training call center staff to recognize phishing and vishing attempts, enforcing MFA, applying the principle of least privilege to AAA systems, restricting access by IP address, monitoring API usage, reviewing logs and browser sessions, and regularly rotating API keys, credentials, and authentication tokens.
