One Breach, Many Victims: How the UNC6395 Attack Exposed the SaaS Supply Chain

In the modern enterprise, third-party apps are the engines of productivity. We integrate them into our core platforms, such as Salesforce, granting them trusted access to our data to streamline workflows. But what happens when the keys to one of those trusted partners fall into the wrong hands?

A threat actor tracked as UNC6395 recently provided a devastating answer. In a sophisticated supply chain attack that impacted over 700 organizations, the group compromised the Salesloft “Drift” integration, stealing its OAuth tokens. They then used these tokens to access the Salesforce environments of multiple downstream customers, exfiltrating data at scale. High-profile cybersecurity and tech companies, including Cloudflare, Zscaler, Palo Alto Networks, and SpyCloud, have all publicly confirmed being impacted by this widespread campaign.

As Google’s Threat Intelligence Group first reported, this was not a breach of Salesforce itself. Instead, it was a masterful exploitation of the web of trust that underpins the entire SaaS ecosystem. One of the victims, Cloudflare, publicly detailed its response, confirming that the actor accessed its Salesforce “Case” objects between August 12-17, 2025, providing a rare public glimpse into the impact of such a compromise.

The Attacker’s Playbook: From One Breach to Many

UNC6395’s methodology departed from common social engineering tactics, focusing instead on a technical, high-leverage supply chain compromise. The attack was swift and disciplined, operating between August 8 and August 18 before being cut off when Salesloft revoked the tokens.

1. The Upstream Breach: The attack began at a single chokepoint: the Drift integration. UNC6395 compromised the vendor and stole the OAuth access and refresh tokens that authorized the app to act on behalf of its many customers.
2. The Silent Entry: Armed with these valid tokens, the actor could directly invoke Salesforce APIs on behalf of any victim organisation through the Drift app. This access was fully authenticated and authorized, bypassing all traditional login prompts, password requirements, and MFA challenges. To the victim’s systems, the activity appeared to be coming from the legitimate application.
3. The Scaled Heist: The actor operated with speed and precision, using what Google assessed to be a Python-based tool to automate the data theft. They systematically enumerated and dumped high-value data, focusing on User, Case, Account, and Opportunity objects across hundreds of victim tenants simultaneously.
4. The Heist-Within-a-Heist: UNC6395 wasn’t just stealing CRM data; they were hunting for treasure within it. The actor meticulously searched the text, notes, and attachments in Salesforce Cases for valuable credentials such as AWS keys, passwords, and Snowflake tokens that would enable them to pivot to other parts of their victims’ infrastructure. Cloudflare’s investigation, for example, found 104 of its API tokens had been exposed in the compromised data.
5. Covering Their Tracks: After exfiltrating the data, the actor took steps to hide their activity by deleting Bulk API job records, a sophisticated defence-evasion tactic designed to frustrate forensic investigations.

Why This Attack is a Game-Changer for SaaS Security

The UNC6395 campaign is more than just another breach; it represents a fundamental evolution in how adversaries target cloud environments, drawing parallels to other major supply chain incidents, such as the 2023 Okta support unit breach.

• The SaaS Supply Chain is the New Perimeter. Your organisation’s security is no longer defined just by your own walls. It is the sum of the security postures of all vendors you integrate with. A compromise at one of your vendors is a compromise of your data, affecting hundreds of organisations through a single integration point.
• Bypassing the Front Door. This attack vector renders many primary security controls irrelevant. When an attacker possesses a valid OAuth token, they don’t need to phish for a user’s credentials or guess a password. They are already “inside,” using a legitimate, authorised channel.
• The CRM as a Credential Cache. The actor’s focus on harvesting secrets from support cases highlights a dangerous but common blind spot. Employees and customers often share sensitive credentials and technical details in support tickets, inadvertently turning the CRM into an unintended, high-value password manager for attackers to plunder.

Defending Against the SaaS Supply Chain Threat

Protecting your organisation requires a strategic shift—from focusing solely on your own security to actively managing the risk across your entire application ecosystem.

1. Govern Your Integrations with an Iron Fist

Treat every third-party application as a privileged entry point to your environment.

• Vet Your Vendors: Expand third-party risk management to rigorously scrutinise the API and OAuth security practices of your integration partners.
• Enforce Least Privilege: Regularly audit the permission scopes of all connected apps. Ensure each integration only has the absolute minimum access required to perform its function. A marketing tool should not have API access to your support cases.
• Establish an Inventory: You cannot defend what you don’t know you have. Maintain a complete, up-to-date inventory of all integrated applications and the data they can access.

2. Hunt for Supply Chain Anomalies

Develop detection logic that assumes one of your vendors could be compromised.

• Profile App Behaviour: Baseline the normal API activity for each major integration. An application that suddenly starts accessing new data objects or pulls data at 100x its normal volume is a major red flag.
• Monitor for Geographic Impossibility: Correlate API access from connected apps with their known infrastructure. If your US-based marketing app suddenly accesses your data from an unfamiliar ASN or country, it demands immediate investigation.
• Leverage Your Event Logs: Use Salesforce EventLogFile to create alerts for unusual UniqueQuery or API/Bulk events, especially when they focus on sensitive objects like Cases and Attachments. Salesloft and Google have released specific Indicators of Compromise (IOCs), such as IP addresses and user-agent strings, to aid these hunts.

3. Harden Your Data and Processes

Minimise the impact of a potential breach by reducing the value of what can be stolen.

• Sanitise Your Data: Implement strict data handling policies and technology to prevent users from storing credentials, secrets, or other highly sensitive information in CRM fields, cases, or attachments.
• Prepare for Vendor Incidents: Develop a specific incident response playbook for a third-party application compromise. This plan must include immediate token revocation, a rapid impact assessment, and clear communication channels with the vendor.

This incident is a wake-up call. In the interconnected cloud, trust is a vulnerability. The security of our most critical data now depends not just on the locks we control, but on the integrity of every partner to whom we hand a key.

---

Disclaimer: The information provided in this blog post is for educational and informational purposes only. While Xenicore strives to present accurate and up-to-date information, the cybersecurity landscape is constantly changing. We make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, or suitability of the information contained herein. Any reliance you place on such information is therefore strictly at your own risk. This article may contain links to external websites that are not provided or maintained by or in any way affiliated with Xenicore.