Do you use Salesforce at your business? If so, then you’ll want to watch out for a new phishing attack in which hackers aim to steal your Salesforce data.
In a blog post published Wednesday, Google’s Threat Intelligence Group explained how the attackers are using vishing, or voice phishing, to trick employees into granting access to Salesforce records. The goal is to steal large amounts of confidential data in an attempt to extort the victims. Here’s how it works.
Also: Clicked on a phishing link? 7 steps to take immediately to protect your accounts
Impersonating IT support personnel, the cybercriminals behind the campaign call an unsuspecting employee at a targeted business. During the call, that employee is instructed to visit an alleged Salesforce setup page where they’re told to download and install an application called Salesforce Data Loader.
The Data Loader app itself is real and is used to import, export, or change Salesforce records by connecting to the internal database. But the version at the web page is a modified one that’s malicious and controlled by the attackers.
Once the app is installed and connected, the hackers can access, query, and export sensitive Salesforce records for their own devious purposes. The data exfiltration typically occurs immediately after the group has gained access.
In some cases, the criminals ask the employee for user credentials and multi-factor authentication codes through which they can export the Salesforce data. The attackers use Mullvad VPN IP addresses to access the Salesforce environments.
Also: 7 password rules security experts live by in 2025 – the last one might surprise you
They’ll also sign in with usernames and passwords captured through credential harvesting or vishing. Armed with those credentials, they can move laterally through a network where they capture data from other cloud-based platforms, including Microsoft 365 and Okta.
<!–>
–>
Google
In its post, Google identified the group behind the attack as UNC6040, which specializes in voice phishing as a form of social engineering. But UNC6040 may not be working alone.
The actual extortion often doesn’t occur until several months after the initial attack. That could point to a second cybercrime group whose role is to monetize access to the data, according to Google. UNC6040 itself has even claimed to be working with hacking group ShinyHunters to pressure their victims into paying up.
Also: Is your Asus router part of a botnet? How to check – and what you can do
Further, Google’s Threat Intelligence researchers have discovered other attacks similar to those staged by UNC6040. These all share certain tactics, techniques, and procedures (TTPs), such as impersonating IT support in a vishing scam, targeting Okta credentials, and focusing on English-speaking users at multinational companies. Dubbing this loose collective “The Com,” Google acknowledged that these similarities could simply mean that the attackers are operating in the same community rather than directly joining forces.
<!–>
Also important to note is that the attacks don’t stem from any vulnerabilities in Salesforce or in the other cloud-based services. Rather, the criminals take advantage of a familiar and always reliable social engineering tactic. In these case, employees willingly acquiesce to the requests of an unknown caller impersonating a trusted or official entity. Despite all the employee warnings and training about phishing and vishing, scammers know that they can still find someone who will take the bait.
“Salesforce has enterprise-grade security built into every part of our platform, and there’s no indication the issue described stems from any vulnerability inherent to our services,” a Salesforce spokesperson said in a statement to ZDNET. “Attacks like voice phishing are targeted social engineering scams designed to exploit gaps in individual users’ cybersecurity awareness and best practices.”
Both Google and Salesforce offer tips on protecting your data from these types of scams. These include granting users only the permissions essential for their roles, managing access to connected applications, enforcing multi-factor authentication, setting up a limited range of trusted IP addresses for logins, looking at the security tools available through Salesforce Shield, and adding a specific security contact to your organization.
