A normal upload. A breach in the making.
It starts with something routine.
A customer uploads a PDF.
A partner adds a link in a Case comment.
A contractor logs in with credentials reused from another service.
Nothing unusual, but minutes later, data starts moving through an authorized app via API.
That’s how modern Salesforce breaches begin.
Attackers don’t break in; they use what’s already open from portals to forms and trusted integrations.
They hide links behind QR codes, register look-alike domains, and act through legitimate accounts that no one suspects.
Salesforce is built for connection. It’s where customer data lives, deals close, and automation keeps the business running.
That same openness makes it a prime target.
Defending Salesforce starts with seeing every move inside the platform, starting from the first upload.
How a layered attack unfolds inside Salesforce
Attackers operate in sequences, not single actions.
Each move sets up the next, leading step by step toward their goal: persistence, data theft, or leverage for extortion.
Security teams often call this the attack kill chain: the sequence of stages an adversary moves through, from first access to final impact.
They don’t always start with a file with malware. Many begin by looking for entry points — a web form, an Experience Cloud portal, an email-to-case inbox, or stolen credentials that let them impersonate a user and gain valid access. Once an entry works, the chain begins.
Let’s look at how those attack chains form inside Salesforce, and how real-time detection can break them before damage hits.
When entry looks legitimate
It starts with a normal upload like an RFP response to an Experience Cloud portal, an invoice attached to an email-to-case, or a document submitted via web-to-lead.
Inside the PDF is a QR code. The QR code includes a short link. Scanning it opens a mobile browser that lands on a login form hosted on a newly registered domain.
Figure 1: Evasive attack tactics hide behind multiple layers.
Salesforce will store the file by default; the platform does not inspect every embedded QR or decode its destination URL. That gap is enough. A busy support agent scans the QR on their phone for convenience, signs in, and the attacker captures the credentials on their server. The attacker can then reuse those details to log in or create a connected app.
That’s a routine activity turned into a credential-harvesting event.
Figure 2. Fake Microsoft login pages used in credential-harvesting campaigns targeting Salesforce instances. The design is near-identical to the real service, the domain is newly registered.
When layers hide layers
A seemingly partner user adds a shortlink in a Case comment inside Experience Cloud.
At first glance, it looks harmless, just a link to shared documentation or a status page.
In reality, the shortlink expands to a redirector, which then points to a phishing site cloned from Salesforce’s own login page.
Because this link lives entirely inside Salesforce data, email filters never see it. No alarms.
Each redirect strips a layer of context — bit.ly to redirector to fake domain — all executed in a matter of moments when a user clicks.
By the time someone enters credentials, the attacker has the session and moves on to create persistence.
When access turns into persistence
After initial access, attackers often seek persistence. Let’s break down the common paths.
One, they log in with stolen credentials and create long-term access, for example by authorizing a connected app and obtaining refresh tokens.
Two, they use credentials directly to perform actions under a compromised account. That looks like normal user activity with API calls, exports, scheduled jobs. This makes it hard to spot with standard tools.
Both approaches let attackers move slowly and quietly. There may be no traditional malware and no anomaly to flag. The activity runs through legitimate and trusted processes.
In a 2025 campaign, phishers impersonated Salesforce support and used a cloned MFA page to capture username, password, and an MFA code. The attacker relayed those credentials to complete the login and generate session tokens. In the incident WithSecure Cloud Protection for Salesforce detected the phishing URL and blocked the page inside the portal before any token issuance could be abused for large-scale extraction.
Figure 3. Phishing link in a campaign impersonating Salesforce led to a cloned login and MFA page containing a small but telling typo; one of the subtle cues that give fake portals away.
When exfiltration looks like business as usual
At the final stage, the objective is simple: get the data out of Salesforce.
Attackers often do it through the same functions everyone else uses, like report exports, Data Loader jobs, or API syncs run through connected apps. Each of these looks like standard business activity, so there are no alarms ringing.
In several recent extortion cases, attackers stole Salesforce records including customer data, and used them for pressure campaigns. When victims refused to pay; their data later appeared on leak sites. Once an attacker reaches Salesforce data, they already hold leverage.
For defenders, that means two risks: operational downtime if systems are locked down, and reputational damage if customer data is exposed. Both are hard to recover from without clear visibility into what happened.
Incident response teams face a hard truth inside Salesforce: there’s limited telemetry and traditional forensics tools weren’t built for the platform.
Signals from the field – 2025
WithSecure telemetry recorded a 20-fold increase in detections per million scanned files between late 2024 and early 2025. 27 % of file-based threat detections were image files containing embedded QR codes. Based on the threat telemetry, there are on average 900 malicious URLs in a single Salesforce org.
Attackers are layering their tactics to hide malicious intent where traditional tools rarely look: QR codes hide links, new domains replace blocked ones, and trusted SaaS tools become the distribution channel.
The first sign of trouble is often a routine interaction inside Salesforce.
Breaking the chain from the inside
To stop a layered attack, detection has to look at the same layers.
That’s why WithSecure Cloud Protection for Salesforce, as a native Salesforce app, operates inside the Salesforce platform itself and inspects every file and link in real-time.
It detects zero-day malware, obfuscated quishing campaigns, and user credential compromises before the risk escalates, directly inside the Salesforce environment. It monitors credential risks of Salesforce community users – external users are a blindspot that traditional tools miss.
Let’s take a look how the attack chain is broken from progressing inside Salesforce.
Catching files at entry
Every file upload and download is scanned and analyzed in real time.
All established file types are unpacked and inspected for hidden malicious scripts – like malware and ransomware – or embedded URLs. Encrypted, password protected archives and files are blocked.
If a link points to a new or risky domain, it’s blocked before anyone clicks.
Behavioral analysis then looks deeper – not at what a file looks like or is called in file type, but what it tries to do.
Does it behave unlike an image file should?
Attempt encryption or script execution?
Suspicious behaviors trigger an instant block and alert.
Catching hidden phishing links
The solution also inspects links inside Salesforce in open text fields like records, comments, and uploaded files.
Links and QR codes are inspected for reputation and age, and thoroughly decoded.
URL Protection scans twice: once when content is posted, again when it’s clicked or interacted with. Agentforce actions also trigger the analysis process.
Same mechanism rescans files when users download them, ensuring new detections apply even after the file has been stored.
This double check catches delayed and time-bombed threats, which are a trick in targeted phishing.
Figure 4. WithSecure Cloud Protection for Salesforce detects and blocks malicious URLs like phishing links at the time of post and click to neutralize evasive threats.
Containing compromised user identities
Identity Protection capability in WithSecure Cloud Protection for Salesforce continuously monitors internal and community user accounts for exposure in third-party credential breaches.
It matches encrypted email addresses against verified breach feeds and flags compromised users directly inside Salesforce. Admins can then revoke sessions and force password resets before an attacker reuses those credentials.
This stops credential compromise from turning into long-term persistence and gives security teams a verifiable response trail when regulators request proof of action.
The capability leverages both public and dark web breach intel, detecting compromised credentials up to 6 months earlier than any open source tools.
Visibility for investigation and response
Every detection, every response, every interaction is logged.
Admins can review them in Salesforce reports and dashboards or export to SIEM for centralized analysis.
The audit trail stays complete for 24 months, giving both security and compliance teams full visibility.
Visibility helps incident response teams trace how a threat entered, what it touched, and how far it spread. This evidence is often missing in Salesforce environments, and speeds containment, supports collaboration with law enforcement, and gives forensic teams real context instead of speculation.
For most organizations, that level of evidence becomes the difference between days or weeks of uncertainty and hours to containment. Having a full audit trail inside Salesforce can turn a potential compliance mess into a documented response story.
Visibility builds prevention and also makes response possible.
Why layered detection matters
Attackers layer their methods to stay hidden.
Each link in the chain conceals the one before it, There is a phishing site hidden behind a shortlink, the shortlink is behind a QR code, a QR inside a document… The document might be spoofed to look like another file type even. Every layer removes a piece of context that defenders and superficial detection capabilities rely on.
Signature scans match known patterns. Evasive chains change patterns.
Layered detection connects the dots:
file analysis finds weaponized content;
URL and QR inspection expose malicious redirects and phishing domains;
identity protection reveals when valid credentials have been exposed in a breach.
Traditional and superficial security tools just flag the first anomaly, then lose sight of what happens next. Layered detection inside the platform keeps following the trail.
Why this matters now
Salesforce has become one of the most targeted business platforms in the enterprise stack.
Attackers know its data is rich, permissions are complex, and human error is inevitable.
Content-borne threat detections attacks grew 20× in the past year. These threats – from file-based malware to QR code phishing campaigns – exploit what the typical security stack doesn’t see, which is the activity inside SaaS environments.
In complex platforms like Salesforce, the breach doesn’t take a genius hack. They start with small oversights attackers are waiting for, like a reused password, too much access, human error, and a missed or missing alert.
Protecting Salesforce against today’s threats doesn’t mean removing all the complexity, but illuminating it.
Even the best defenses can’t promise perfection. We’ve seen this in the recent attacks, where a $1M security stack couldn’t stop a phone call and a fake app. When a breach does occur, what matters most is how fast you can understand it, contain it, mitigate the damage and prove what happened.
