The Google Threat Intelligence Group (GTIG), an advanced persistent threat (APT) group identified as UNC6040 has successfully compromised numerous organizations’ Salesforce environments.
The attackers exploited targeted voice phishing (vishing) tactics to trick employees into authorizing a malicious connected app, enabling them to exfiltrate large volumes of sensitive corporate data.
Malicious Apps Enable Large-Scale Data Exfiltration
Over the past several months, UNC6040 has demonstrated a high level of success by impersonating IT support personnel during social engineering phone calls.
Instead of exploiting inherent Salesforce software vulnerabilities, the group relied on manipulating end users often in English-speaking branches of multinational companies to grant unauthorized access to critical Salesforce environments.
At the heart of the attack strategy is the abuse of Salesforce’s “connected apps” functionality, specifically leveraging a modified version of Salesforce’s Data Loader tool.
During the vishing calls, attackers guided victims through the process of approving a fraudulent app on the Salesforce connected apps setup page.
According to GTIG Report, this app, often mimicking the appearance and function of the legitimate Data Loader but unauthorized by Salesforce, was linked to attacker-controlled infrastructure.
Once approved, the malicious app enabled direct access to the victim’s Salesforce environment, allowing UNC6040 to query, export, and exfiltrate proprietary business data at scale.
Rising Threat to Cloud Environments
Technical evidence indicates that UNC6040 infrastructure, including servers hosting Okta phishing panels, was used to facilitate further credential harvesting and lateral movement.
Attackers frequently requested user credentials and multifactor authentication (MFA) codes in real-time during phone calls, allowing them to bypass security controls and add the rogue application.
The threat actors also utilized commercial VPN services such as Mullvad to mask their operational activity, complicating attribution and detection efforts.
Salesforce’s Data Loader tool is a legitimate platform utility designed for importing and exporting large data sets, available both through a user interface and command-line interface.
However, when abused via connected app authorization, threat actors can automate and scale data theft operations.
In some documented cases, attackers tweaked the Data Loader branding and chunk size settings to evade detection, and in one instance, named the application “My Ticket Portal” to match the vishing pretext provided to victims.
Incident response teams noted that once attackers obtained access, they acted quickly to exfiltrate as much data as possible before the intrusion was detected and credentials were revoked.
However, some extortion attempts only materialized several months after initial compromise, suggesting possible collaboration with secondary threat actors focused on monetizing stolen data.
In these cases, references to groups like “ShinyHunters” surfaced as part of the extortion pressure campaign.
The UNC6040 campaign underscores an alarming trend: targeting IT support personnel and abusing cloud application permissions rather than exploiting traditional software vulnerabilities.
With the proliferation of vishing and tailored social engineering, cloud environments particularly those integrating third-party connected apps are increasingly at risk.
Security experts highlight the need for robust cloud security configurations and user education.
Recommendations include least-privilege access for Data Loader and other tools, rigorous management of connected app permissions, enforcing IP-based access controls, and continuous monitoring through platforms such as Salesforce Shield.
While multi-factor authentication remains a cornerstone of cloud defense, the tactics employed in this campaign highlight that user awareness and procedural safeguards are equally crucial.
This incident serves as a wake-up call for organizations leveraging SaaS platforms: while cloud providers deliver strong baseline security, customer-side diligence in configuration, monitoring, and user training is vital to defend against evolving social engineering techniques and malicious app abuse.
With threat actors refining these tactics, enterprises must remain vigilant and proactive in securing their cloud assets.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Update
