Incident Watch

UNC6040 Vishing Campaigns Targets Salesforce for Data Theft

UNC6040, a threat group that specializes in voice phishing (vishing), has successfully gained access to over 20 organizations' Salesforce environments.

What Happened: The UNC6040 threat group recently infiltrated around 20 organizations. They posed as IT support and tricked employees into installing a malicious version of Salesforce’s Data Loader. This action gave attackers broader access to the organizations’ SaaS environments. 

How the Attack Unfolded: UNC6040 specializes in vishing (voice phishing) campaigns. This is a type of social engineering, which manipulates human users into making security mistakes. 

  • Attackers instructed employees to visit a real Salesforce page and approve the malicious version of the Data Loader app
  • By doing so, employees unintentionally exposed sensitive credentials and MFA codes
  • From there, attackers stole data from the organization’s Salesforce environment, before moving to other platforms like Okta, M365, and Workplace

Why This Matters: Customers and users play a critical role in making sure their environments are secure. 

  • Speaking on the incident, Salesforce maintains that security is a shared responsibility between vendors and customers. While vendors like Salesforce maintain the security of the app’s underlying infrastructure, customers must control data access. 

Taking a Step Back: 

  • Humans are often the weakest link in the security chain. Despite robust technical safeguards, social engineering tactics like vishing exploit human vulnerabilities, leading to unintentional security breaches.
  • The interconnectedness of modern SaaS environments amplifies risk. A single compromised credential or access point can become a pivot point for attackers, allowing them to traverse across multiple SaaS applications and internal systems.

Prevention Methods: 

  • General Strategies: 
    • Educate staff on vishing and social engineering threats
    • Educate staff on fake SSO phishing sites
    • Ensure staff are only granted the permissions needed for their role
    • Control access to Connected Applications
    • Restrict access to named IP ranges
  • For Obsidian customers: 
    • Monitor Obsidian alerts for any related to Salesforce or Okta
    • Use Obsidian’s Browser Extension to detect and automatically block Identity Takeovers (ATO) from advanced phishing kits (such as evilginx reverse proxy websites)

Download Now

Get Started

Start in minutes and secure your critical SaaS applications with continuous monitoring and data-driven insights.

get a demo