Google Salesforce Breach: A Deep dive into the chain and extent of the compromise

SUMMARY :

In June 2025, Google's Salesforce instance was breached by UNC6040 & UNC6240 using vishing, OAuth app abuse, and anonymity layers. The attackers stole business data of small and medium-sized clients. A parallel attack by UNC6395 compromised Salesloft Drift's Salesforce integration, affecting hundreds of customers. Both incidents involved sophisticated social engineering, OAuth token abuse, and data exfiltration via TOR. The attacks are linked to the ShinyHunters group and share similarities with other high-profile breaches targeting various industries. The incidents highlight vulnerabilities in SaaS environments and the need for improved security measures, including OAuth governance, identity management, and proactive monitoring.

OPENCTI LABELS :

social engineering,data exfiltration,tor,vishing,cloud security,oauth,salesforce,saas security


AI COMMENTARY :

1. In June 2025, a sophisticated attack chain unfolded against Googles Salesforce environment as UNC6040 and UNC6240 deployed vishing techniques to bait unsuspecting employees into granting access. The threat actors exploited human vulnerabilities through carefully crafted voice phishing campaigns, using social engineering to secure credentials and manipulate targets into approving malicious OAuth applications. The abuse of OAuth tokens allowed the adversaries to bypass multi-factor authentication and gain persistent entry points into the cloud infrastructure.

2. Once inside the Salesforce instance, the attackers leveraged anonymity layers, routing their exfiltration traffic over the TOR network to obscure their activities and evade detection. They systematically harvested business data belonging to hundreds of small and mediumsized clients, consolidating sensitive customer records, partnership agreements, and financial projections. In parallel, UNC6395 executed an analogous assault on Salesloft Drifts Salesforce integration, compromising data belonging to hundreds of additional organizations and amplifying the overall impact of the campaign.

3. The two breaches share a common thread: the strategic manipulation of OAuth governance controls. By registering rogue applications within the SaaS environment, the adversaries obtained broad API permissions that allowed them to query and extract data at scale. This technique underscores the critical role of cloud security policies in constraining token lifetimes, enforcing leastprivilege entitlements, and continuously vetting thirdparty application authorizations to prevent unauthorized data access.

4. Analysis of the forensic artifacts and TOR exit node logs suggests a link to the ShinyHunters group, known for highprofile exfiltration campaigns across multiple industries. The resemblance to previous incidents—where attackers combined social engineering, OAuth abuse, and encrypted command channels—reveals a recurrent playbook that defenders must anticipate. The use of anonymity networks for data staging and extraction not only complicates attribution but also demands proactive monitoring of outbound connections and anomaly detection within SaaS platforms.

5. These incidents highlight systemic vulnerabilities in modern SaaS deployments. Critical gaps in identity management, interservice trust, and application oversight facilitated the breach. Organizations relying on cloudbased CRM systems must reevaluate their security posture, ensuring that administrative approvals for OAuth apps are subject to stringent review processes and that continuous audit trails capture every consent event and API invocation.

6. To bolster resilience against similar threats, security teams should implement granular OAuth token policies that enforce scope restrictions and automatic revocation of idle tokens. Integrating behavioral analytics can surface irregular data queries and exfiltration patterns, while threat intelligence feeds focused on TOR exit nodes can preemptively flag suspicious outbound channels. Regular vishing simulations and targeted user training will also harden human defenders against socialengineering tactics.

7. In an era where cloud security intersects with evolving adversary tradecraft, the GoogleSalesforce and Salesloft Drift breaches serve as a stark reminder that robust OAuth governance, identity management, and proactive monitoring are nonnegotiable. By learning from the combined playbook of UNC6040, UNC6240, and UNC6395, organizations can elevate their threat detection capabilities, reinforce their SaaS security frameworks, and ultimately safeguard their critical data from future incursions.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Google Salesforce Breach: A Deep dive into the chain and extent of the compromise