The phone rings. The caller ID might be blocked, or it might be cleverly spoofed to look internal. On the other end is a polite, knowledgeable, and helpful person claiming to be from your IT department. They need your help to install a critical “Data Loader” utility or a system update in Salesforce. They sound legitimate. They sound urgent.
This is the opening move of a sophisticated attack by a threat group tracked as UNC6040. In this threat briefing, we’ll dissect how this group turns a simple phone call into a full-scale CRM data breach, not by hacking Salesforce, but by hacking the trust of your employees.
This isn’t a vulnerability in the Salesforce platform itself; it’s a clever abuse of the legitimate, trusted pathways that make the modern cloud ecosystem work.
The Attacker’s Playbook: From a Call to Your Crown Jewels
UNC6040’s methodology is a masterclass in combining old-school social engineering with modern cloud API abuse. Their attack unfolds in a patient, multi-stage campaign.
- The Setup (Reconnaissance & Pretexting): Before they even dial, the actors do their homework. They prepare their scripts and a convincing, look-alike “Data Loader” Salesforce application designed to fool an unsuspecting user.
- The Call (Vishing & Initial Access): The core of the attack is a voice phishing (vishing) call. The attacker, impersonating IT staff, expertly guides an employee through the process of authorising their malicious Salesforce connected app. This isn’t about stealing a password. It’s about tricking the user into granting the attacker’s app a set of digital keys—specifically, OAuth access and refresh tokens.
- The Persistent Foothold (Living in Your Cloud): With the refresh token, the attacker gains long-term access to your Salesforce environment via its APIs. This access persists even if the user changes their password, as it’s tied to the app’s authorization, not the user’s direct credentials. They can now access your systems from anywhere, blending in with legitimate application traffic.
- The Heist (Collection & Exfiltration): Once inside, UNC6040 uses Salesforce’s own powerful tools, like the Bulk API, against you. They systematically query and export high-value CRM data: Accounts, Contacts, Leads, Opportunities, and more. To your security tools, this can look like normal, albeit heavy, API activity. The data is exfiltrated through these legitimate, encrypted channels.
- The Payday (Extortion): With your sensitive customer and pipeline data in hand, the final move is extortion. The actors contact your organisation, proving they have your data and demanding payment to prevent its public release.
Why This Attack is So Deceptive
The brilliance of this tradecraft lies in its subtlety. UNC6040 is “living off the land” in the cloud—using legitimate features for malicious ends.
- Abuse of Trust: The attack exploits the trust between employees and their IT department. The social engineering tactics mirror those used by other notorious groups like Scattered Spider, indicating a proven and effective methodology.
- Bypassing Traditional Security: Because the attack uses legitimately granted OAuth tokens, many traditional security controls, including some forms of MFA, are rendered ineffective. The user has already authenticated; the malicious activity happens after that step, through a duly authorized application.
- Normalisation and Alert Fatigue: In today’s interconnected SaaS world, users are constantly asked to approve new app integrations. This has created a form of “alert fatigue at the authentication layer,” where employees become desensitised to the very permission screens designed to protect them.
Protecting Your Salesforce Kingdom: A 4-Pillar Strategy
Defending against this threat requires a multi-layered strategy that goes beyond technology to include governance, active threat hunting, and empowering your people. In response to these threats, Salesforce has taken steps to help customers by strengthening security measures around how connected apps are used.
1. Govern Your Applications
Transition to a security posture of “trust but verify.”
- Implement an Allow-List: Move to a model where only administratively approved and verified connected apps are permitted.
- Conduct Quarterly Reviews: Regularly audit all authorized applications. Look for excessive permissions (scope creep) and disable dormant apps that are no longer needed.
- Formalize Approval: Treat the approval of a new OAuth application with the same seriousness as a firewall rule change. Require business justification and a risk assessment.
2. Hunt for Anomalies
You can’t stop what you can’t see. Use the tools at your disposal to establish a baseline of normal activity and hunt for deviations.
- Monitor App Grants: Pay close attention to new connected app authorizations, especially those granted by non-administrators or originating from unfamiliar publishers.
- Baseline API Usage: Know what normal data access looks like for your organization. Develop detections for spikes in Bulk API Jobs or broad database queries (
SELECTpatterns) that don’t match typical workflows. - Leverage Event Logs: Dive deep into your Salesforce
EventLogFiledata. Create detection rules that correlate a new app authorization with subsequent, large-scale data access from a new IP address or region.
3. Empower Your People
Your staff is the first line of defense. Equip them to succeed.
- Train for Vishing: Run tabletop exercises focused specifically on these scenarios. The key lesson: Legitimate IT will never pressure you to approve a security change over the phone.
- Establish Verification Channels: Create a simple, out-of-band process for employees to verify suspicious requests (e.g., “I will hang up and call you back on the official help desk number”).
- Foster Psychological Safety: Encourage employees to report suspicious calls immediately and without fear of blame. Early reporting is one of the most valuable sources of threat intelligence you can have.
4. Harden Your Platform
Use the native security features of the platform to shrink the attacker’s window of opportunity.
- Restrict Access: Implement IP allow-listing and login hour restrictions to align with your business’s operational reality.
- Enforce Least Privilege: Configure all connected applications with the absolute minimum permission scopes they need to function.
- Enhance Monitoring: If your subscription allows, enable features like Salesforce Shield for more granular event monitoring and threat detection capabilities.
The threat landscape is evolving. As adversaries shift from loud, malware-based attacks to silent, “living off the land” techniques, our defences must adapt. By understanding the UNC6040 playbook, we can build a more resilient defence that protects not just our technology but the people and processes that power our businesses.
Disclaimer: The information provided in this blog post is for educational and informational purposes only. While Xenicore strives to present accurate and up-to-date information, the cybersecurity landscape is constantly changing. We make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, or suitability of the information contained herein. Any reliance you place on such information is therefore strictly at your own risk. This article may contain links to external websites that are not provided or maintained by or in any way affiliated with Xenicore.