Hackers Are Stealing Salesforce Data, Google Warns
None
<h1 class="wp-block-heading"></h1><p><strong>By Christy Lynch</strong><em></em></p><p>This post summarizes the <a href="https://cloud.google.com/blog/topics/threat-intelligence/voice-phishing-data-extortion"><em>June 4, 2025 threat intelligence update from Google</em></a><em> and offers additional recommendations from Reveal Security based on similar and recently observed attack patterns targeting SaaS applications and cloud infrastructure.</em></p><div class="code-block code-block-12 ai-track" data-ai="WzEyLCIiLCJCbG9jayAxMiIsIiIsMV0=" style="margin: 8px 0; clear: both;"> <style> .ai-rotate {position: relative;} .ai-rotate-hidden {visibility: hidden;} .ai-rotate-hidden-2 {position: absolute; top: 0; left: 0; width: 100%; height: 100%;} .ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback, .ai-list-block, .ai-list-block-ip, .ai-list-block-filter {visibility: hidden; position: absolute; width: 50%; height: 1px; top: -1000px; z-index: -9999; margin: 0px!important;} .ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback {min-width: 1px;} </style> <div class="ai-rotate ai-unprocessed ai-timed-rotation ai-12-1" data-info="WyIxMi0xIiwyXQ==" style="position: relative;"> <div class="ai-rotate-option" style="visibility: hidden;" data-index="1" data-name="VGVjaHN0cm9uZyBHYW5nIFlvdXR1YmU=" data-time="MTA="> <div class="custom-ad"> <div style="margin: auto; text-align: center;"><a href="https://youtu.be/Fojn5NFwaw8" target="_blank"><img src="https://securityboulevard.com/wp-content/uploads/2024/12/Techstrong-Gang-Youtube-PodcastV2-770.png" alt="Techstrong Gang Youtube"></a></div> <div class="clear-custom-ad"></div> </div></div> <div class="ai-rotate-option" style="visibility: hidden; position: absolute; top: 0; left: 0; width: 100%; height: 100%;" data-index="1" data-name="QVdTIEh1Yg==" data-time="MTA="> <div class="custom-ad"> <div style="margin: auto; text-align: center;"><a href="https://devops.com/builder-community-hub/?ref=in-article-ad-1&utm_source=do&utm_medium=referral&utm_campaign=in-article-ad-1" target="_blank"><img src="https://devops.com/wp-content/uploads/2024/10/Gradient-1.png" alt="AWS Hub"></a></div> <div class="clear-custom-ad"></div> </div></div> </div> </div><p>Reveal Security monitors the overall cyber landscape for unique threats that can evade legacy detection methodologies. This UNC6040 campaign continues post-authentication, where many tools lose visibility. Our unique post-authentication approach adds a critical line of defense against this threat and other credential-based attack vectors.</p><h2 class="wp-block-heading">Summary of the Threat</h2><p>Google’s Threat Intelligence Team has identified an ongoing campaign by threat actor group UNC6040, in which attackers are stealing data from Salesforce and other SaaS applications. The attackers begin by socially engineering employees to steal credentials, then log into enterprise SaaS applications using residential proxy services to mask their location and blend in with legitimate traffic.</p><div class="code-block code-block-15" style="margin: 8px 0; clear: both;"> <script async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?client=ca-pub-2091799172090865" crossorigin="anonymous" type="1ddf4ae4fd3f2f608af79134-text/javascript"></script> <!-- SB In Article Ad 1 --> <ins class="adsbygoogle" style="display:block" data-ad-client="ca-pub-2091799172090865" data-ad-slot="8723094367" data-ad-format="auto" data-full-width-responsive="true"></ins> <script type="1ddf4ae4fd3f2f608af79134-text/javascript"> (adsbygoogle = window.adsbygoogle || []).push({}); </script></div><p>Once authenticated, the attackers conduct manual reconnaissance to identify valuable data, such as customer records or support tickets, and then exfiltrate the data using legitimate application features. </p><p>And the attackers don’t stop there. According to the report:</p><blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow"> <p><strong>“Following this initial data theft, UNC6040 was observed leveraging end-user credentials obtained through credential harvesting or vishing to move laterally through victim networks, accessing and exfiltrating data from other cloud platforms such as Okta and Microsoft 365.”</strong></p> </blockquote><p>In some cases, this stolen data is used in extortion attempts against the affected companies.</p><h2 class="wp-block-heading">Attack Flow</h2><p>According to Google’s report, the attack typically unfolds in the following stages:</p><ol class="wp-block-list"> <li><a href="https://cloud.google.com/blog/topics/threat-intelligence/technical-analysis-vishing-threats"><strong>Social Engineering (Vishing)</strong></a><strong>:</strong> Attackers impersonate IT or helpdesk personnel over voice calls to trick employees into revealing their login credentials or accepting MFA prompts.</li> <li><strong>Geographic Evasion via Residential Proxies: </strong>The attackers use residential proxy services to make their login attempts appear to originate from expected locations, helping them evade detection or geo-based access policies.</li> <li><strong>SaaS Access and Data Theft: </strong>With valid credentials, attackers log into apps like Salesforce, search for sensitive customer or business data, and extract it using built-in tools such as data export features or report generation.</li> <li><strong>Extortion: </strong>In several cases, attackers followed up by contacting victim organizations and demanding payment under the threat of data exposure or sale.</li> </ol><p>The attackers appear highly familiar with Salesforce’s user interface and data structures, enabling them to navigate and extract data efficiently while staying within the broader bounds of normal user behavior.</p><h2 class="wp-block-heading">Attribution and Targeting</h2><p>UNC6040 is a financially motivated group that Google has been tracking since 2023. This campaign does not rely on malware or exploits but instead uses legitimate credentials and authorized application behavior making detection particularly difficult.</p><p>The attacks appear opportunistic rather than industry-specific. Organizations using Salesforce and other major SaaS platforms for customer service or case management are at heightened risk.</p><h2 class="wp-block-heading">Detection and Mitigation Challenges</h2><p>Several factors make these attacks difficult to detect:</p><ul class="wp-block-list"> <li><strong>Post-authentication activity is low-signal: </strong>Because the attacker logs in with valid credentials and behaves in ways consistent with normal user patterns, traditional security tools may not flag the activity.</li> <li><strong>Proxy evasion techniques:</strong> Residential proxies obscure attacker location and help bypass geolocation-based risk scoring or conditional access policies.</li> <li><strong>No malware, no exploits: </strong>The absence of malicious payloads or endpoint-based indicators further limits detection opportunities for EDR and traditional SIEM tools.</li> </ul><p>Google emphasizes that session monitoring, anomaly detection, and granular audit logs are critical to identifying these kinds of intrusions. <a href="https://security.salesforce.com/">Salesforce customers can review their security documentation here.</a></p><h2 class="wp-block-heading">How Reveal Security Helps</h2><p>Reveal Security provides visibility into <a href="https://www.reveal.security/protect-saas-applications/">post-authentication user activity across SaaS applications like Salesforce</a>, enabling organizations to detect the exact kind of behavior seen in this campaign.</p><p>By analyzing human and non-human identity behavior to learn what is typical, Reveal detects behavioral anomalies that suggest misuse and impersonation even when the attacker uses valid credentials and operates from approved locations.</p><p>Reveal Security’s detection capabilities include:</p><ul class="wp-block-list"> <li>Unusual report generation or data export behavior</li> <li>Access to atypical records or dashboards</li> <li>Session hijacking indicators or off-hours activity inconsistent with user history</li> <li>And more.</li> </ul><p>Post-authentication behavioral monitoring in SaaS and cloud is often the only way to distinguish attacker actions from those of legitimate users.</p><p>To learn more about how Reveal Security can protect against threats targeting data in Salesforce and other SaaS platforms, visit<a href="https://www.reveal.security/"> </a><a href="https://www.reveal.security/">https://www.reveal.security/</a>.</p><p>The post <a href="https://www.reveal.security/blog/hackers-are-stealing-salesforce-data-google-warns/">Hackers Are Stealing Salesforce Data, Google Warns</a> appeared first on <a href="https://www.reveal.security/">RevealSecurity</a>.</p><div class="spu-placeholder" style="display:none"></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://www.reveal.security/">RevealSecurity</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Pazs">Pazs</a>. Read the original post at: <a href="https://www.reveal.security/blog/hackers-are-stealing-salesforce-data-google-warns/">https://www.reveal.security/blog/hackers-are-stealing-salesforce-data-google-warns/</a> </p>