FBI Alert: Two Cybercriminal Groups Are Actively Compromising Salesforce

The Federal Bureau of Investigation (FBI), in coordination with DHS/CISA, has released a new FLASH Alert (FLASH-20250912-001) warning organizations of two cybercriminal groups—UNC6040 and UNC6395—actively compromising Salesforce instances to steal sensitive data and extort victims.

According to the alert, “Both groups have recently been observed targeting organizations’ Salesforce platforms via different initial access mechanisms.” The FBI urges enterprises to review the provided indicators of compromise (IOCs) and strengthen defenses.

Since late 2024, UNC6040 has relied on voice phishing (vishing) campaigns to trick call center employees into sharing Salesforce credentials. The actors often impersonate IT support staff to create a sense of urgency.

The alert explains, “UNC6040 threat actors commonly call victims’ call centers posing as IT support employees… Under the guise of closing an auto-generated ticket, UNC6040 actors trick customer support employees into taking actions that grant the attackers access.”

Key tactics include:

• Credential Harvesting – Directly requesting usernames, passwords, and MFA codes.
• API Exploitation – Using Salesforce Data Loader to exfiltrate bulk customer records.
• Malicious Connected Apps – Deceiving victims into authorizing rogue OAuth applications, which bypass MFA and appear as legitimate integrations.

The FBI notes, “Authorizing a malicious connected app bypasses many traditional defenses such as MFA, password resets, and login monitoring.”

Some UNC6040 victims later received extortion emails allegedly from the ShinyHunters group, demanding cryptocurrency payments to prevent data leaks.

Meanwhile, UNC6395 has been running a parallel campaign using compromised OAuth tokens linked to Salesloft Drift, an AI chatbot integrated with Salesforce.

“In August of 2025, UNC6395 threat actors exploited compromised OAuth tokens for the Salesloft Drift application… Using the compromised OAuth tokens and third-party app integration, UNC6395 threat actors were able to compromise victims’ Salesforce instances and exfiltrate data.”

On August 20, 2025, Salesforce and Salesloft revoked all active Drift tokens, cutting off unauthorized access.

The FLASH alert includes extensive IP addresses, URLs, and user-agent strings tied to both groups. Among them are domains like:

• login[.]salesforce[.]com/setup/connect (malicious app authorization page)
• IPs such as 185.141.119.136, 146.70.165.47, and 192.42.116.179

The FBI cautions defenders that these indicators “may not be indicative of a compromise” by themselves, but should be correlated with broader network activity.

The FBI outlines several defensive measures organizations should take immediately:

• Train call center staff to detect vishing attempts.
• Deploy phishing-resistant MFA across all critical services.
• Apply least-privilege access controls using AAA (authentication, authorization, accounting).
• Monitor API usage and OAuth integrations for anomalous behavior.
• Rotate API keys and tokens for all third-party applications.
• Log and analyze network traffic for data exfiltration patterns.

Related Posts:

• UNC6040 Threat Actor Exploits Salesforce via Vishing and Malicious Data Loader Apps
• Google Admits Salesforce Breach, Joins Chanel & Allianz on ShinyHunters Victim List
• Voice Phishing on Microsoft Teams Facilitates DarkGate Malware Attack
• Data Theft Alert: Salesforce Instances Breached via Third-Party App OAuth Tokens