On September 12, 2025, the FBI released FLASH-20250912-001, warning of a surge in data theft and extortion campaigns targeting organizations' Salesforce platforms. Two cybercriminal groups—UNC6040 and UNC6395—are at the center of these attacks, each employing distinct initial access mechanisms to compromise Salesforce environments and exfiltrate sensitive data.
According to the alert, since late 2024, UNC6040 has relied heavily on voice phishing (vishing) tactics. Threat actors impersonate IT staff, calling company help desks, claiming to resolve enterprise-wide issues. By exploiting human trust, they convinced employees to:
Share credentials and MFA codes;
Install a malicious Salesforce connected app (often disguised as Salesforce's legitimate Data Loader);
Approve OAuth tokens, granting attackers persistent access to Salesforce environment.
Once inside, UNC6040 used API queries and the Data Loader application to exfiltrate large volumes of customer data. Because OAuth tokens come from Salesforce itself, malicious activity appeared to originate from trusted integrations—making it difficult for standard defenses like MFA or login monitoring to stop.
[RELATED: Dissecting the Salesforce Social Engineering Attacks]
Some UNC6040 victims later received extortion demands tied to ShinyHunters, with threats to leak stolen data unless cryptocurrency payments were made.
In contrast, UNC6395 targeted Salesforce by abusing compromised OAuth tokens from the Salesloft Drift AI chatbot integration. With stolen tokens, attackers could log into Salesforce instances and siphon sensitive information.
"The user-agent indicators of compromise (IOCs) indicate that UNC6395 is leveraging custom Python scripts to interact with the legitimate, listed Salesforce APIs they are connecting to. The listed URLs also point to Salesforce OAuth authorization endpoints that UNC6040 directs victims to during social engineering calls, tricking them into connecting their enterprise Salesforce portal to the threat actor's malicious app," said Crystal Morin, Cybersecurity Strategist at Sysdig. "The IPs used by both groups point to the use of Azure cloud infrastructure, virtual servers, Tor exit nodes, and proxy services to obfuscate their origin. Ultimately, the FBI's advisory highlights the threat actors' technical and human sophistication with significant details regarding their use of social engineering."
Morin continued, "To get ahead of these threat actors, security teams should hunt for these IOCs in their logs, monitor for similar unusual activity, audit connected apps, and work to reinforce user awareness—especially among call center staff, who have often been the first line of defense in recent months."
On August 20, 2025, Salesloft and Salesforce revoked all Drift-related tokens to cut off active intrusions, but the FBI notes the group's tactics highlight broader risks in SaaS ecosystems dependent on third-party integration.
The FBI provided extensive IOCs to aid defenders, including:
IP addresses linked to both UNC6040 and UNC6395;
Malicious Salesforce URLs such as login[.]salesforce[.]com/setup/connect;
User-agent strings like Salesforce-Multi-Org-Fetcher/1.0 and python-requests/2.32.4, used in UNC6395 operations.
Security teams are urged to ingest and monitor these IOCs but also evaluate them in the context of their full network environment.
The FLASH alert outlines concrete steps for defenders:
Harden human defenses – Train call center staff to spot vishing attempts.
Deploy phishing-resistant MFA wherever possible.
Apply least privilege to Salesforce and integrated apps.
Audit and rotate API keys and tokens for all connected applications.
Monitor network and API logs for signs of bulk queries or anomalous session.
This alert highlights several critical realities for CISOs and SaaS security teams:
SaaS platforms are prime targets – Salesforce, as a data-rich hub, is a natural focal point for attackers.
Third-party integrations expand the attack surface – OAuth tokens and connected apps can become stealthy backdoors.
Human factors remain exploitable – Sophisticated vishing shows that even MFA can be bypassed if employees are tricked into approving malicious apps.
Data theft and extortion are converging – Groups like UNC6040 aren't just stealing data, they're monetizing it through direct extortion threats.
Randolph Barr, CISO at Cequence Security, provided a comprehensive breakdown of the latest FBI Flash alert:
"The FBI's FLASH alert reveals a growing threat pattern where attackers exploit legitimate, authorized access to cloud environments like Salesforce, not through malware or brute force, but through what's known as business logic abuse.
"In both the UNC6040 and UNC6395 campaigns, attackers are not exploiting software vulnerabilities in the traditional sense. Instead, they are misusing normal functionality, like OAuth integrations and API calls to carry out malicious objectives in ways that appear legitimate to most systems.
UNC6040 used social engineering to trick employees into authorizing a malicious OAuth app (e.g., "My Ticket Portal"), which then used Salesforce's standard APIs to mass-exfiltrate data.
UNC6395 operated more quietly, leveraging already-approved third-party apps (like Drift or Salesloft) to access sensitive data such as outreach logs and chat transcripts all through standard, permitted API behavior."
"Business logic abuse happens when an attacker uses the application as intended, but in a way that violates business intent or trust. In these campaigns:
The attackers didn't break in, they were let in via authorized OAuth tokens.
The API calls weren't abnormal in format, they were normal Salesforce queries.
There were no malware signatures, just abuse of trusted integrations to achieve unauthorized outcomes (i.e., data theft and extortion).
This type of abuse often flies under the radar of traditional security controls like EDR, CASB, or firewalls because:
The protocol is valid (OAuth)
The data channel is secure (HTTPS)
The traffic volume may appear normal
The access was technically authorized.
"That's what makes these IOCs and behavior patterns so critical; they offer clues into how attackers are blending in with trusted business operations.
"These attacks don't rely on breaking in through a vulnerability. They come in through the front door using the very integrations we’ve come to trust and depend on. That’s what makes business logic abuse so dangerous: it looks like legitimate activity to most systems, but its intent is malicious. The IOCs provided by the FBI are a valuable head start for defenders to detect hidden misuse, but they’re only part of the picture. What’s needed going forward is a shift in security mindset from looking only for anomalies in network traffic or file signatures, to questioning whether a system’s behavior still aligns with its intended business function.
"Even without a purpose-built API security solution, there are practical steps organizations can take today:
Audit connected apps
Review all authorized OAuth integrations in tools like Salesforce, Google Workspace, Drift, or SalesLoft.
Pay attention to apps with elevated access or vague names.
Revoke access for apps that aren't clearly vetted or needed.
Examine API and login logs
Use native SaaS audit logs (e.g., Salesforce's Event Monitoring, Connected App Usage, Login History).
Look for:
Unusual download activity
API queries at odd hours or from unusual IPs
Sudden changes in data access patterns
Investigate behavior that violates business intent
Even if activity is technically allowed by the system, ask:
"Does this make sense for the user or app's purpose?"
"Why would this app need full access to all contacts or deals?"
This mindset shift is key to identifying business logic abuse.
Use the FBI IOCs
Search for the listed IPs, app names, timestamps, and user agent strings in your own environment.
Check for patterns that match the described behavior, even if the tool used wasn't Salesforce.
Establish approval processes
Require review and approval before new OAuth apps are granted access.
Restrict scopes to the minimum required.
Remove or sunset unused integrations regularly.
Communicate internally
Work with sales, marketing, and support teams to raise awareness of this threat type.
Emphasize the importance of verifying requests to connect new apps, especially those mimicking internal tools."