The phone rings. The caller ID might be blocked, or it might be cleverly spoofed to look internal. On the other end is a polite, knowledgeable, and helpful person claiming to be from your IT department. They need your help to install a critical “Data Loader” utility or a system update in Salesforce. They sound legitimate. They sound urgent.
This is the opening move of a sophisticated attack by a threat group tracked as UNC6040. In this threat briefing, we’ll dissect how this group turns a simple phone call into a full-scale CRM data breach, not by hacking Salesforce, but by hacking the trust of your employees.
This isn’t a vulnerability in the Salesforce platform itself; it’s a clever abuse of the legitimate, trusted pathways that make the modern cloud ecosystem work.
(more…)