Cybernexum Logo

Threat Actor Campaigns Targeting Salesforce: Third-Party Chaos and Data Abuse

By Cybernexum Intel
SalesforceThreat ActorsThird-Party RiskData AbuseCloud Security

Salesforce Under Siege: The Rise of Third-Party Compromise Campaigns

Over the past year, a series of campaigns by multiple threat actor groups has put Salesforce customers in the crosshairs. These attacks, leveraging weak integrations, misconfigured third-party apps, and stolen credentials, highlight how quickly trust in cloud CRMs can be weaponized. The chaos caused by these compromises underscores a sobering truth: the data you entrust to a SaaS vendor is only as safe as the ecosystem around it.

🎯 The Purpose Behind the Campaigns

Threat actors are pursuing Salesforce environments for two main reasons:

  1. Credential Harvesting and Identity Abuse Attackers phish Salesforce users (admins and sales reps) with targeted lures. Once they gain access, they extract customer records, deal pipelines, and API tokens. These tokens are then resold or reused to infiltrate other linked services.

  2. Third-Party Application Compromise Many enterprises rely on third-party chatbots, marketing automation, or integration tools. By compromising those apps, attackers inherit the trust relationships (OAuth tokens) that grant them broad data access inside Salesforce.

🚨 Real-World Case Study: The Salesloft Drift Breach

In August 2025, a massive supply-chain campaign emerged targeting Salesforce customers via a third-party integration. Attackers (tracked as UNC6395, alias GRUB1) stole hundreds of OAuth tokens from Salesloft's Drift chat-app integration and used them to plunder corporate Salesforce instances. Over a ten-day span (Aug. 8--18) the adversary automated data exfiltration at dozens of organizations, siphoning large volumes of records from Accounts, Contacts, Cases, etc.

Importantly, no core Salesforce vulnerability was exploited -- the breach stemmed from compromised Drift tokens. In response, Salesloft and Salesforce immediately revoked all active Drift OAuth tokens and pulled the app from AppExchange.

Cybercriminals exfiltrated AWS keys, passwords, and other secrets from Salesforce instances via a breached third-party chatbot integration.

👥 Threat Actor Profile

The attacks have been attributed to a single campaign cluster: UNC6395 (Mandiant) / GRUB1 (Cloudflare).- Used Python/aiohttp scripts to automate queries.- Deleted Salesforce query jobs to hide tracks.- Exploited OAuth trust, not Salesforce code.

Indicators of Compromise (IoCs) include logins with the User-Agent Python/3.11 aiohttp/3.12.15, bulk SOQL queries, and access from unknown data center IPs.

🛑 How Exfiltrated Data is Abused

Stolen Salesforce data isn't just customer lists --- it includes secrets to downstream services:- AWS keys → spin up instances, steal S3 data, plant ransomware.- Snowflake tokens → raid warehouses, exfiltrate analytics data.- Customer records → craft spear-phishing & BEC campaigns.- Partner/vendor info → attack supply chains.

Cloudflare warned that UNC6395's stolen data will almost certainly fuel follow-on attacks against breached organizations and their clients.

🌍 Industries Impacted

  • Government & Public Sector: Sensitive citizen data, procurement records.- Finance & Banking: Customer PII, transaction data.- Retail & Manufacturing: Supply-chain details, partner info.- Healthcare: Patient records and insurance data.- Technology & Security Vendors: Cloud service credentials.

Victims included major security and tech firms like Cloudflare, Zscaler, Palo Alto Networks, SpyCloud, Tanium, and Proofpoint.

🛡️ Defense & Mitigation Strategies

1. Revoke and Rotate Tokens- Invalidate all OAuth tokens linked to Drift.- Rotate AWS, Snowflake, and other service keys.

2. Audit Logs & Hunt for IoCs- Enable Salesforce Event Monitoring.- Look for suspicious logins (aiohttp UA, odd IPs).- Detect large automated SOQL queries.

3. Harden Salesforce Access- Enforce least privilege on connected apps.- Disable unused apps.- Restrict "API Enabled" permissions.

4. Enable MFA and IP Restrictions- Require MFA for all Salesforce accounts.- Enforce IP range restrictions.

5. Monitor Third-Party Apps- Maintain an inventory of all integrations.- Subscribe to vendor security advisories.- Alert on unusual app behavior (e.g. mass exports).

6. Incident Response Plan- Have runbooks ready for SaaS breaches.- Engage security vendors or MSSPs as needed.

7. Leverage Threat Intelligence- Subscribe to industry IoCs.- Task SOC/MDR teams to actively hunt for Salesforce abuse.

✅ Conclusion

This campaign is a wake-up call: SaaS trust relationships can be the weakest link. Even the most secure platforms are vulnerable if third-party integrations are not tightly managed. The purpose of these campaigns is clear --- steal credentials, exploit trust, and monetize data chaos.

For cybersecurity professionals and government leaders, now is the time to invest in SaaS security assessments and Zero Trust principles. Cybernexum can help organizations measure maturity, audit Salesforce configurations, and deploy practical defenses that harden against these evolving threats.