One Breach, Many Victims: How the UNC6395 Attack Exposed the SaaS Supply Chain

In the modern enterprise, third-party apps are the engines of productivity. We integrate them into our core platforms like Salesforce, granting them trusted access to our data to streamline workflows. But what happens when the keys to one of those trusted partners fall into the wrong hands?

A threat actor tracked as UNC6395 recently provided a devastating answer. In a sophisticated supply chain attack that impacted over 700 organizations, the group compromised the Salesloft “Drift” integration, stealing its OAuth tokens. They then used these tokens to access the Salesforce environments of multiple downstream customers, exfiltrating data at scale. High-profile cybersecurity and tech companies, including Cloudflare, Zscaler, Palo Alto Networks, and SpyCloud, have all publicly confirmed being impacted by this widespread campaign.

As Google’s Threat Intelligence Group first reported, this was not a breach of Salesforce itself. Instead, it was a masterful exploitation of the web of trust that underpins the entire SaaS ecosystem. One of the victims, Cloudflare, publicly detailed their response, confirming the actor accessed their Salesforce “Case” objects between August 12-17, 2025, providing a rare public glimpse into the impact of such a compromise.

The Attacker’s Playbook: From One Breach to Many

UNC6395’s methodology was a departure from common social engineering tactics, focusing instead on a technical, high-leverage supply chain compromise. The attack was swift and disciplined, operating between August 8 and August 18 before being cut off when Salesloft revoked the tokens.

1. The Upstream Breach: The attack began at a single chokepoint: the Drift integration. UNC6395 compromised the vendor and stole the OAuth access and refresh tokens that authorized the app to act on behalf of its many customers.
2. The Silent Entry: Armed with these valid tokens, the actor could directly call Salesforce APIs for any victim organization using the Drift app. This access was fully authenticated and authorized, bypassing all traditional login prompts, password requirements, and MFA challenges. To the victim’s systems, the activity appeared to be coming from the legitimate application.
3. The Scaled Heist: The actor operated with speed and precision, using what Google assessed to be a Python-based tool to automate the data theft. They systematically enumerated and dumped high-value data, focusing on User, Case, Account, and Opportunity objects across hundreds of victim tenants simultaneously.
4. The Heist-Within-a-Heist: UNC6395 wasn’t just stealing CRM data; they were hunting for treasure within it. The actor meticulously searched the text, notes, and attachments within Salesforce Cases for valuable credentials like AWS keys, passwords, and Snowflake tokens that would allow them to pivot into other parts of their victims’ infrastructure. Cloudflare’s investigation, for example, found 104 of its API tokens had been exposed in the compromised data.
5. Covering Their Tracks: After exfiltrating the data, the actor took steps to hide their activity by deleting the Bulk API job records, a sophisticated defense evasion tactic designed to frustrate forensic investigations.

Why This Attack is a Game-Changer for SaaS Security

The UNC6395 campaign is more than just another breach; it represents a fundamental evolution in how adversaries target cloud environments, drawing parallels to other major supply chain incidents like the 2023 Okta support unit breach.

• The SaaS Supply Chain is the New Perimeter. Your organization’s security is no longer defined just by your own walls. It is the sum of the security postures of every single vendor you integrate with. A compromise at one of your vendors is a compromise of your data, affecting hundreds of organizations through a single integration point.
• Bypassing the Front Door. This attack vector renders many primary security controls irrelevant. When an attacker possesses a valid OAuth token, they don’t need to phish a user or guess a password. They are already “inside,” using a legitimate, authorized channel.
• The CRM as a Credential Cache. The actor’s focus on harvesting secrets from support cases highlights a dangerous but common blind spot. Employees and customers often share sensitive credentials and technical details in support tickets, inadvertently turning the CRM into an unintended, high-value password manager for attackers to plunder.

Defending Against the SaaS Supply Chain Threat

Protecting your organization requires a strategic shift—from focusing solely on your own security to actively managing the risk across your entire application ecosystem.

1. Govern Your Integrations with an Iron Fist

Treat every third-party application as a privileged entry point to your environment.

• Vet Your Vendors: Expand third-party risk management to rigorously scrutinize the API and OAuth security practices of your integration partners.
• Enforce Least Privilege: Regularly audit the permission scopes of all connected apps. Ensure each integration only has the absolute minimum access required to perform its function. A marketing tool should not have API access to your support cases.
• Establish an Inventory: You cannot defend what you don’t know you have. Maintain a complete, up-to-date inventory of all integrated applications and the data they can access.

2. Hunt for Supply Chain Anomalies

Develop detection logic that assumes one of your vendors could be compromised.

• Profile App Behavior: Baseline the normal API activity for each major integration. An application that suddenly starts accessing new data objects or pulls data at 100x its normal volume is a major red flag.
• Monitor for Geographic Impossibility: Correlate API access from connected apps with their known infrastructure. If your US-based marketing app suddenly accesses your data from an unfamiliar ASN or country, it demands immediate investigation.
• Leverage Your Event Logs: Use Salesforce’s EventLogFile to create alerts for unusual UniqueQuery or API/Bulk events, especially when they focus on sensitive objects like Cases and Attachments. Salesloft and Google have released specific Indicators of Compromise (IOCs), such as IP addresses and user-agent strings, to aid these hunts.

3. Harden Your Data and Processes

Minimize the impact of a potential breach by reducing the value of what can be stolen.

• Sanitize Your Data: Implement strict data handling policies and technology to prevent users from storing credentials, secrets, or other highly sensitive information in CRM fields, cases, or attachments.
• Prepare for Vendor Incidents: Develop a specific incident response playbook for a third-party application compromise. This plan must include immediate token revocation, a rapid impact assessment, and clear communication channels with the vendor.

This incident is a wake-up call. In the interconnected cloud, trust is a vulnerability. The security of our most critical data now depends not just on the locks we control, but on the integrity of every partner to whom we hand a key.

---

Disclaimer: The information provided in this blog post is for educational and informational purposes only. While Xenicore strives to present accurate and up-to-date information, the cybersecurity landscape is constantly changing. We make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, or suitability of the information contained herein. Any reliance you place on such information is therefore strictly at your own risk. This article may contain links to external websites that are not provided or maintained by or in any way affiliated with Xenicore.