The Federal Bureau of Investigation (FBI), in coordination with CISA, has issued a security FLASH warning about two cybercriminal groups, UNC6040 and UNC6395, actively compromising Salesforce environments to steal sensitive corporate data.
The advisory, marked TLP: CLEAR, highlights how threat actors are using various intrusion tactics and provides a detailed set of Indicators of Compromise (IOCs) for defenders to detect and mitigate ongoing campaigns.
UNC6040: Vishing and Malicious Connected Apps
According to the FBI, since late 2024, UNC6040 has relied heavily on social engineering through voice phishing to gain initial access to Salesforce accounts.
The group’s operators typically impersonate IT support staff when calling organizations’ customer support or call center teams. By posing as employees resolving enterprise connectivity issues, they trick staff into providing account credentials or even multi-factor authentication (MFA) codes.
In many cases, victims are guided to visit the Salesforce “connected app” setup page and authorize what appears to be a legitimate application. In reality, UNC6040 deploys a trojanized version of Salesforce’s Data Loader as a malicious connected app.
Because Salesforce issues OAuth tokens directly for connected apps, normal defenses such as login monitoring or the requirement of MFA do not prevent this unauthorized activity. Once authorized, the malicious app enables large-scale API queries, facilitating the bulk exfiltration of customer data.
Some UNC6040 intrusions have also led to extortion demands, with victims receiving emails allegedly linked to the ShinyHunters group. These demands threatened exposure of stolen information in exchange for cryptocurrency, sometimes appearing days or months after the breach.
UNC6395: OAuth Token Exploitation
The FBI also identifies UNC6395 as conducting a separate wave of Salesforce-targeted attacks leveraging compromised OAuth tokens from third-party integrations.
In August 2025, UNC6395 actors exploited OAuth tokens tied to the Salesloft Drift AI chatbot, which is commonly used in Salesforce environments. With these compromised tokens, the attackers gained direct access to Salesforce instances and exfiltrated business-critical data.
On August 20, 2025, Salesforce and Salesloft revoked all affected Drift OAuth tokens, disabling active threat access. However, the FBI warns companies that unauthorized access could have persisted for weeks before this revocation.
Mitigations and IOCs
The FLASH lists dozens of IP addresses, URLs, and malicious user-agent strings tied to both UNC6040 and UNC6395 campaigns.
Recommendations include enforcing phishing-resistant MFA, restricting Salesforce access to approved IP ranges, closely monitoring API activity, and auditing all third-party integrations for unauthorized connected apps.
Organizations are strongly advised to train customer support staff on vishing tactics and to rotate API keys and tokens for third-party applications continuously. Any suspicious or related activity should be reported to the FBI via IC3.gov or local field offices.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
, in coordination with CISA, has issued a security FLASH warning.){kind=link}