Ddos 
The Federal Bureau of Investigation (FBI), in coordination with DHS/CISA, has released a new FLASH Alert (FLASH-20250912-001) warning organizations of two cybercriminal groupsβUNC6040 and UNC6395βactively compromising Salesforce instances to steal sensitive data and extort victims.
According to the alert, βBoth groups have recently been observed targeting organizationsβ Salesforce platforms via different initial access mechanisms.β The FBI urges enterprises to review the provided indicators of compromise (IOCs) and strengthen defenses.
Since late 2024, UNC6040 has relied on voice phishing (vishing) campaigns to trick call center employees into sharing Salesforce credentials. The actors often impersonate IT support staff to create a sense of urgency.
The alert explains, βUNC6040 threat actors commonly call victimsβ call centers posing as IT support employeesβ¦ Under the guise of closing an auto-generated ticket, UNC6040 actors trick customer support employees into taking actions that grant the attackers access.β
Key tactics include:
- Credential Harvesting β Directly requesting usernames, passwords, and MFA codes.
- API Exploitation β Using Salesforce Data Loader to exfiltrate bulk customer records.
- Malicious Connected Apps β Deceiving victims into authorizing rogue OAuth applications, which bypass MFA and appear as legitimate integrations.
The FBI notes, βAuthorizing a malicious connected app bypasses many traditional defenses such as MFA, password resets, and login monitoring.β
Some UNC6040 victims later received extortion emails allegedly from the ShinyHunters group, demanding cryptocurrency payments to prevent data leaks.
Meanwhile, UNC6395 has been running a parallel campaign using compromised OAuth tokens linked to Salesloft Drift, an AI chatbot integrated with Salesforce.
βIn August of 2025, UNC6395 threat actors exploited compromised OAuth tokens for the Salesloft Drift applicationβ¦ Using the compromised OAuth tokens and third-party app integration, UNC6395 threat actors were able to compromise victimsβ Salesforce instances and exfiltrate data.β
On August 20, 2025, Salesforce and Salesloft revoked all active Drift tokens, cutting off unauthorized access.
The FLASH alert includes extensive IP addresses, URLs, and user-agent strings tied to both groups. Among them are domains like:
- login[.]salesforce[.]com/setup/connect (malicious app authorization page)
- IPs such as 185.141.119.136, 146.70.165.47, and 192.42.116.179
The FBI cautions defenders that these indicators βmay not be indicative of a compromiseβ by themselves, but should be correlated with broader network activity.
The FBI outlines several defensive measures organizations should take immediately:
- Train call center staff to detect vishing attempts.
- Deploy phishing-resistant MFA across all critical services.
- Apply least-privilege access controls using AAA (authentication, authorization, accounting).
- Monitor API usage and OAuth integrations for anomalous behavior.
- Rotate API keys and tokens for all third-party applications.
- Log and analyze network traffic for data exfiltration patterns.
Related Posts:
- UNC6040 Threat Actor Exploits Salesforce via Vishing and Malicious Data Loader Apps
- Google Admits Salesforce Breach, Joins Chanel & Allianz on ShinyHunters Victim List
- Voice Phishing on Microsoft Teams Facilitates DarkGate Malware Attack
- Data Theft Alert: Salesforce Instances Breached via Third-Party App OAuth Tokens
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
