FBI advisory sheds light on recent Salesforce compromises

The FBI on Sept. 12 released a FLASH advisory to share indicators of compromise (IoCs) associated with recent malicious activity by threat actors gaining access to Salesforce accounts.

According to the FBI, the two threat groups identified were UNC6040 and UNC6395.

Both groups are international crime organizations not tied to any one nation-state, but UNC6040 has been associated with the Shiny Hunters group, which operates mostly on the dark web where they sell stolen data to other criminal groups.

The FBI reports that since October 2024, UNC6040 actors have leveraged voice phishing (vishing) to gain access to organizations’ Salesforce accounts. In doing so, UNC6040 threat actors typically call victims’ call centers posing as IT support employees addressing enterprise-wide connectivity issues.

Under the guise of closing an auto-generated ticket, the FBI said UNC6040 actors then trick customer support employees into taking actions that grant the attackers access or lead to the sharing of employee credentials. This gives them access to targeted companies’ Salesforce instances to exfiltrate customer data.

On the UNC6395 front, the FBI said that in August 2025, the UNC6395 actors exploited compromised OAuth tokens for the Salesloft Drift application, an AI chatbot that can be integrated with Salesforce. Using the TLP:CLEAR TLP:CLEAR compromised OAuth tokens and third-party app integration, the FBI said UNC6395 threat actors then compromised victims’ Salesforce instances and exfiltrated data.

Randolph Barr, chief information security officer at Cequence Security, said the FBI’s FLASH alert revealed a growing threat pattern where attackers exploit legitimate, authorized access to cloud environments like Salesforce, not through malware or brute force, but through what’s known as business logic abuse.

"In both the UNC6040 and UNC6395 campaigns, attackers are not exploiting software vulnerabilities in the traditional sense," said Barr. "Instead, they are misusing normal functionality, like OAuth integrations and API calls to carry out malicious objectives in ways that appear legitimate to most systems."

Here's Barr's analysis: UNC6040 used social engineering to trick employees into authorizing a malicious OAuth app (e.g., “My Ticket Portal”), which then used Salesforce’s standard APIs to mass-exfiltrate data. And, UNC6395 operated more quietly, leveraging already-approved third-party apps like Drift or SalesLoft to access sensitive data such as outreach logs and chat transcripts all through standard, permitted API behavior.

Amir Khayat, co-founder and CEO of Vorlon, added that the FBI report showed UNC6040 registering malicious apps inside Salesforce trial accounts, a loophole that let them stage OAuth abuse without touching a corporate environment until it was too late. Once approved, Khayat said those apps operated with trusted privileges that bypassed MFA.

"The FBI report also confirms UNC6395 weaponized compromised Salesloft Drift OAuth tokens, turning a single trusted AI chatbot integration into a backdoor for Salesforce data across multiple enterprises," said Khayat. "These tokens carried the same authority as a legitimate app, making traditional identity checks useless.”