Alarmingly, where it concerns Salesforce, many organizations still take that gamble — assuming endpoint security will catch every threat, no matter the entry point, user, or content. It’s an outdated belief — and a dangerous one.
No modern enterprise should trust a single layer of defense — ever
Endpoint protection is necessary, but it’s the last safety net, not the first. By the time a threat reaches an endpoint, it has already bypassed your preventive controls. The smartest organizations build layered defenses with email protections, network segmentation, browser isolation, and cloud-native security for business platforms like Salesforce.
If endpoint security fails – and it can – what’s left to stop malware or phishing links already embedded inside Salesforce records or automations? In many cases, the answer is: nothing.
Email security is table stakes. Salesforce shouldn’t be treated any differently
We’ve all normalized advanced email security as essential. But somehow, the same logic isn’t applied to Salesforce security, even though the risks are real and growing.
Salesforce today is far more than a CRM. It:
- Processes content from forms, APIs, chatbots, and email-to-case
- Stores and shares files and URLs
- Sends automated communications via workflows or even AI
- Is deeply integrated across business functions
But it doesn’t natively scan files or URLs for threats.
There’s no built-in phishing or malware filtering in Salesforce. That’s a problem — especially when Salesforce is handling sensitive customer and operational data. If you wouldn’t allow malicious content into your inbox, why allow it into your Salesforce instance?
Salesforce is increasingly being exploited as an attack vector
Threat intelligence shows Salesforce is now a preferred platform for attackers. It’s used for delivery, lateral movement, and persistent access, often through workflows, community portals, or API abuse.
Our blog, Salesforce Attacks in 2025, outlines how attackers bypass traditional controls by embedding threats inside trusted processes: impersonating users, hiding malware in file uploads, or redirecting victims to phishing portals via QR codes or shortened URLs. These Salesforce attack patterns are becoming more frequent and more sophisticated.
Read the full Salesforce Cyber Threat Report H1 2025 for detailed tactics and detection breakdowns.
Even with email security — Salesforce still needs its own protection
Email filters don’t apply to Salesforce content.
Threats can enter through:
- Web-to-case forms and public lead capture flows
- Community and partner portals
- Chatbots and live chat integrations
- API-driven file transfers and marketing automations
- Direct emails to Salesforce inboxes (e.g. email-to-case)
All of these bypass your email security stack entirely.
The right question to ask isn’t just “Is our email secure?” but “What’s protecting our Salesforce environment?”
But doesn’t Salesforce already handle security?
Salesforce offers robust platform-level security, for example, MFA, access controls, audit logging, and more. But like any platform, it assumes customers will handle their content security.
Here’s what it doesn’t do:
- Scan files at upload or download
- Detect malware or phishing links in content
- Block malicious QR codes or suspicious redirects
This is a concerning gap. Malicious files, and links may live in your environment undetected. Or worse, they may be be shared with customers or partners.
Salesforce agrees. According to the State of IT Security Report, nearly 50% of security leaders worry their data foundation isn’t ready for agentic AI, and 55% aren’t confident they have the guardrails needed to deploy AI agents securely.
If your defenses don’t cover the content inside Salesforce, your business is exposed to Salesforce data breach risks.
Aligning with the NIST Cybersecurity Framework
The NIST Cybersecurity Framework (CSF) emphasizes five core functions:
Identify. Protect. Detect. Respond. Recover.
Salesforce’s native features help with Identify and Protect via access controls and configurations, but most organizations lack coverage across Detect and Respond when it comes to phishing links, malware in files, or malicious URLs inside Salesforce.
To reach Tier 3 (Repeatable) or Tier 4 (Adaptive) maturity in the NIST CSF Implementation Tiers, organizations need proactive, real-time detection and visibility across all platforms – including Salesforce.
That’s where CRM malware protection and cloud-native Salesforce threat detection tools come in.
While it’s tempting to categorize WithSecure Cloud Protection for Salesforce under Protect – after all, it blocks malicious files and links before users interact with them – its core functional strength lies in real-time detection and containment inside Salesforce. That’s the blind spot in most enterprise security architectures: the in-platform layer, where traditional defenses like email gateways, and endpoints security tools have no visibility.
In NIST CSF terms, WithSecure Cloud Protection for Salesforce:
- Bridges a critical detection gap within SaaS application content, surfacing threats that other tools never see.
- Enables faster response through integrated visibility, audit trails, and analytics that support incident investigation.
- Prevents threat propagation across connected users and systems once a detection occurs.
So while the solution contributes to Protect outcomes, its functional alignment is with Detect and Respond. It empowers organizations to see and stop what happens inside Salesforce, not just around it.
Why this matters: Real-world risk
In 2025, attack groups like UNC6040 have abused modified Salesforce apps to exfiltrate data and extort companies. Google’s research showed how attackers leveraged Salesforce app trust and permissions to move laterally and remain undetected — often for weeks.
The hard lesson here? What happens inside Salesforce needs its own layer of defense.
What you can do today
WithSecure Cloud Protection for Salesforce provides the missing layer, without slowing down your Salesforce instance.
- Real-time scanning of files and links
- Detection of phishing via QR codes, redirects, and evasive formats
- Full audit trail for compliance and forensics
- Coverage for both internal and external users
- Native Salesforce app: no rerouting, no middleware
The solution is built for Salesforce, and it complements your endpoint, email, and network defenses, protecting what happens inside Salesforce in real-time.
