Salesforce threat protection in action

Salesforce threat protection is no longer optional as attackers pivot to business workflows. In 2025, Salesforce has become one of the most targeted enterprise platforms. Nearly forty major companies, from Google to global insurers, have been listed on leak sites tied to breaches in their Salesforce environments. The business value and sensitive data it holds make Salesforce an exceptionally attractive target.

How WithSecure Cloud Protection secures your Salesforce environment in real-time

Traditional security tools stop where Salesforce begins.
Email filters scan inboxes.
Endpoint agents guard devices.
But Salesforce, where customer data, workflows, AI agents and automation meet, often sits outside that protection.

Salesforce is your operational headquarters, like a high-value command center where teams, partners, and AI agents move data in and out. Most security tools guard the perimeter far away from this center, not the place where operations happen.

Attackers know this. They move through trusted users, shared files, and automated processes that traditional security never sees.

WithSecure Cloud Protection for Salesforce brings enterprise-grade threat detection inside the platform. It scans files, URLs, QR codes, and identities in real time, stopping threats before they spread and making risks visible through unified analytics.

The native app secures Salesforce from the inside out instead of just guarding the surroundings.

The shared responsibility gap

Salesforce provides the energy grid, think of a stable power source that keeps the mission running. But it’s every organization’s job to protect what’s powered by it: the systems, people, and processes that rely on that energy. This is the essence of the shared responsibility model.

Protecting what your users upload, click, or automate inside that environment is your responsibility. Salesforce secures the cloud platform infrastructure; organizations must secure the activity and data within it. That’s where traditional “outside-in” tools have little to no reach.

Here’s what Salesforce security risks look like in practice

Attackers don’t necessarily smash windows, doors, and walls. They blend into routine traffic, tailgate through side doors, abuse trusted connections, or use borrowed keycards. Here’s how those break-ins happen inside Salesforce:

• A malicious attachment arrives through email-to-case and is uploaded into Salesforce without being scanned. When processed, an infostealer quietly harvests stored credentials and session cookies. The attacker uses those tokens to pivot, access reports and integrations, and quietly exfiltrate customer data over weeks before detection.
• A contractor account falls outside corporate IAM. Its password, reused on another service, appears in a third-party data breach. Attackers log in through Salesforce’s legitimate interface and start extracting customer data via reports and connected apps.
• A malicious URL or QR code is posted though a chat, and stored inside a case. It leads to a convincing fake login page; a user or agent follows the link and submits credentials. Those credentials are then used to access business processes and export customer data and trade secrets, which leads to extortion and loss of customer trust.

When risks unfold inside Salesforce, they are difficult to detect with external tools

These risk scenario examples show how mundane workflows — like email-to-case — become attack vectors when attachments are weaponized and processed inside Salesforce without inspection inside the platform. WithSecure Cloud Protection for Salesforce closes that gap with real-time, native protection where those actions happen.

When a breach occurs inside Salesforce, visibility dictates recovery time. Without in-platform detection and telemetry, organizations can spend weeks tracing infected records, workflows, and automations. WithSecure Cloud Protection reduces that window to hours, preventing prolonged downtime and preserving compliance readiness. In regulated sectors, this level of audit-ready visibility can be the difference between a contained incident and a weeks-long investigation.

Figure 1: Email-to-case is a common entry point: weaponized attachments arrive as routine tickets, get processed in Salesforce, and can lead to operational disruption or data exfiltration without in-platform inspection.

File protection — next-generation analysis inside Salesforce

Files are one of the most common delivery routes for threats. According to Verizon, ransomware is present in 44% of all breaches and it’s been on the rise recently. In Salesforce, file-based threats enter through forms, email-to-case, chats, user uploads or APIs, and often bypass traditional controls.

File Protection in WithSecure Cloud Protection for Salesforce scans every file in Salesforce at upload, download, on-demand, and in scheduled mass sweeps. It blocks malware, ransomware, and hidden cyber threats before they reach your users.

Every file is checked before it can do harm

If malware is a routine-looking harmful parcel that the threat actors aim to slip into the building, File Protection is the building’s baggage scanner that ensures every parcel that comes through the lobby is x-rayed before anyone can open it.

File Protection brings layered analysis directly into Salesforce:

1. Multi-engine malware detection checks every upload and download using AV-TEST–certified engines.
2. AI and heuristic analysis identifies suspicious or ransomware-like behavior missed by signatures.
3. Cloud sandboxing safely executes doubtful files to reveal zero-day and evasive threats.
4. Global threat intelligence enhances detection using telemetry from millions of daily analyses in the WithSecure™ Security Cloud.

Each file is fingerprinted, compared against known verdicts, and analyzed in the sandbox when needed. Only anonymized samples are processed by the threat analysis service.

Figure 2: End-user messages can be customized, here’s an example “harmful content blocked” notification.

Figure 2: The app replaces the removed malicious file with a text file so users can’t access it.

Extra layers for evasive content

• Detects hidden malicious URLs and QR codes inside files.
• Identifies spoofed extensions (for example, “.jpg.exe”).
• Blocks password-protected archives and risky file types such as executables and scripts.

For a complete breakdown of detection layers, platform coverage, and policy configuration options, visit the full feature list.

Proven real-time protection

Malicious files are intercepted at upload or download, before they reach users or automations.
All detections are stored for 24 months, including hash, verdict, and timestamp. This creates an auditable record trail of every event.

WithSecure’s detection engine, also powering the company’s enterprise endpoint products, earned AV-TEST’s Best Protection Award 2024 after a full year of flawless detection results across more than 90,000 malware samples.
That same engine protects files in Salesforce environments, providing independently verified detection accuracy against both known and emerging threats.

Figure 4: File Protection admin view showing scanning and policy controls.

Granular control where it counts – practical examples

Every organization handles files differently. WithSecure Cloud Protection for Salesforce lets admins tailor policies down to object level — defining what gets scanned, when, and how.

From the File Protection settings, you can:

• Decide whether to scan uploads, downloads, or both.
• Set different rules for Salesforce Files, Attachments, and Content Libraries.
• Customize actions for detections (block, remove, or quarantine).
• Manage exclusions for trusted workflows, test environments, or file types.

These granular controls make WithSecure Cloud Protection for Salesforce adaptable to diverse security and performance requirements from highly regulated environments to fast-moving teams.

Best practice: Enable scanning for both Salesforce Files and Attachments, activate Advanced Threat Analysis, and apply stricter policies for archives and Office files.

This is thorough protection applied where files actually live — inside Salesforce.

Figure 5: File Protection settings view showing customizable scanning and policy options.

URL and QR protection — stopping phishing in its new form

Phishing doesn’t end in the inbox. Links and QR codes now move through Salesforce records, case comments, and shared documents — unseen by external tools.

Phishing links are like forged orders that seem legitimate, but trick users into acting for the benefit of the threat actors.

URL Protection in WithSecure Cloud Protection for Salesforce scans embedded links for threats in real time.

Stop phishing attacks that hide in Salesforce

URL Protection inspects links at post and at click, across standard and custom fields and objects.
It decodes shortlinks, analyzes redirect chains, classifies domains, and scans QR codes embedded in files.

Advanced threat analysis and global threat intelligence detect newly registered or obfuscated domains before they become active threats. Even multi-layered tactics like malicious short links behind QR codes are detected. 

Time-delayed or redirected phishing links are stopped inside Salesforce, before users or agents can act on them.

Users see a clear “phishing blocked” message; admins see who posted or clicked and where.

Figure 6: URL events overview for the list of fresh URL detections

Figure 7: Detailed view showing blocked phishing link.

Content filtering — keeping Salesforce professional

Not every link is malicious; some simply don’t belong in your Salesforce space.

Content filtering is the office policy board, protecting the integrity of the environment. It keeps the hallways clear of scams and inappropriate material, maintaining a professional and comfortable environment for everyone who walks in.

Keep Salesforce clean, compliant, and on-brand

Content Filtering prevents inappropriate or policy-violating material, like gambling, scams, or illegal content, from entering Salesforce environments and communities.

Powered by domain intelligence, it blocks disallowed categories as users post or upload.
Admins select which categories or top-level domains to restrict, applying consistent rules across the instance.

It maintains a trusted workspace and reduces compliance exposure, especially in environments with external contributors.

Figure 8: Content Filtering configuration screen for disallowed domains and categories like spam or hacking.

Identity protection — catching compromise before access

If content threats are about what gets in, access control is about who is allowed in. Majority of breaches are attributed to identity compromises. These breaches start with a seemingly valid login. In Salesforce, attackers can use valid credentials stolen elsewhere.

Continuing on the operations center metaphor, a contractor’s stolen badge opens a side gate and the threat actor walks straight into restricted systems, extracting sensitive data as part of seemingly normal activity.

Catch stolen credentials before attackers use them

Identity Protection in WithSecure Cloud Protection for Salesforce detects compromised Salesforce user credentials before attackers use them.

Identity Protection continuously checks Salesforce accounts against verified breach intelligence. It covers internal and external users, scanning weekly and tracking 12 months of history. Each match shows where and when the breach occurred and how credentials were exposed.

It’s like your badge control system that verifies who walks in and flags stolen passes before they’re used to access restricted areas.

Admins can reset passwords, revoke sessions, or enforce MFA the moment an exposure is found.
All activity is logged for audits and compliance.

This early warning turns credential reuse from a hidden risk to a visible, fixable one.

Figure 9: Breach detail view showing exposed partner account and breach metadata.

Secure AI adoption — keeping Salesforce fast and safe

Agentic AI and automation drives efficiency, but with efficiency comes risk.
Agentforce agents act faster than humans, spreading both value and potential compromise.

As Agentforce brings autonomous workflows into Salesforce, you can think of it as a coordinated fleet of smart systems operating across a secure facility. The same rules apply as to humans. WithSecure Cloud Protection for Agentforce supports with this.

Extend the same real-time protection to your autonomous AI agents

WithSecure Cloud Protection for Agentforce add-on extends real-time scanning to every non-human action.

URLs shared to an AI agent, links shared by an AI agent, or records updated by AI agents are all inspected .

Events are logged with context and retention similarly as user action logs.

Automation runs at full speed under the same protection boundaries as human users.
Security scales with business, not against it.

Analytics and visibility — connecting every signal

Detection without visibility is guesswork.

Analytics acts as the building’s control room. Every door entry, camera feed, and alarm signal is logged, giving you a complete picture of what happened, when, and who was involved.

Trace what happened, where, and who was involved

In WithSecure Cloud Protection for Salesforce every file, link, or identity scan feeds into unified analytics inside Salesforce.

The Salesforce-native app supports multi-org environments, giving security teams visibility and consistent policy enforcement across all Salesforce instances.

Protection Status dashboards show detection trends and overall health at a glance.
Reports pivot by user, object, or threat type. Logs keep two years of event data and can export to a SIEM for broader analysis.

Security teams can trace incidents end to end, identify recurring attack sources, and refine policies with evidence.

Visibility closes the loop between detection, prevention and improvement. It is the critical factor that can turn a compliance nightmare around.

Figure 10: Protection Status dashboard summarizing detections across layers.

Enterprise-grade and audit-ready protection for Salesforce

WithSecure Cloud Protection for Salesforce brings enterprise-grade defense inside the platform itself.
It applies the same layered logic proven in modern endpoint protection – multi-engine detection, sandboxing, machine learning, and behavioral analysis – but runs inside Salesforce.

Unlike API-based or CASB security solutions, Cloud Protection operates within Salesforce’s own trust boundaries.

There are no external dashboards or delayed scans, and every inspection happens in real time, with minimized data traffic outside the platform.

WithSecure Cloud Protection for Salesforce is designed for organizations that live under scrutiny. Every detection, verdict, and policy action is logged and stored for 24 months, creating a verifiable audit trail of what happened, when, and how it was resolved.

That visibility gives compliance and risk teams the documentation they need for internal reviews, regulatory audits, and incident investigations – saving time, money and trouble.

It’s also built on independently verified controls.

Certified under ISAE 3000 Type 2 (European equivalent to SOC 2 Type 2) and ISO 27001, and aligned with frameworks like NIS2, DORA, and GDPR, Cloud Protection meets the same standards expected of enterprise and government-grade environments.

Options for controlled data residency – across the EU, US, Japan, Singapore, and Australia – keep analysis and logs within your chosen jurisdiction, satisfying both privacy and compliance requirements by design.

Already trusted by leading Fortune 500 enterprises and public-sector organizations, WithSecure Cloud Protection for Salesforce secures Salesforce environments of every scale – from regional deployments to multi-org global operations.

Figure 11: Admin view showing regional data-processing selection for Salesforce security.

Built for the threats of today — and what’s coming next

Salesforce now connects people, processes, and autonomous AI agents – and attackers are adapting just as quickly. WithSecure Cloud Protection for Salesforce evolves in step.

Identity Protection turns credential exposure – a prevalent attack vector – into an early warning.
The Agentforce extension adds real-time scanning for agent-driven use cases, keeping AI automation as secure as human action.

Our roadmap follows both the Salesforce platform and the threat landscape, with one goal: to protect every interaction in Salesforce.

When the protection layers work together

If Salesforce security “checkpoints” are overlooked, the effects tend to ripple.
One overlooked upload can spread malware across internal and external environments.
One stolen credential can open connected systems.
One missed alert can turn a contained incident into an operational outage.

When layered safeguards hold, nothing dramatic happens, and that’s the point.
Operations stay steady.
Customers never notice a thing since their experience stays smooth, secure, and uninterrupted.
Data stays untouched.
Users log in, work, and leave without friction.

It’s the digital equivalent of a secure operational base running on schedule, where lights are on, comms stable, mission intact. Everyone it serves never even notices the threats that were stopped.

That’s what layered protection inside Salesforce delivers: quiet continuity. As a Salesforce-native app, WithSecure Cloud Protection for Salesforce is available on AppExchange, and deployed within a short 30-minute session, where our technical experts walk you through the set-up.

Got questions? Want to see the solution in action? Book a quick demo from the form below.

For example, European ABN AMRO Insurances saw immediate impact and identified and quarantined their first threat quickly after deploying WithSecure Cloud Protection for Salesforce.

“Within an hour we were up and running — and the protection just works in the background.”
— Ralf van Hoorn, Salesforce Developer, ABN AMRO Insurances

In the meantime, for further reading:

• When Salesforce instances became the target: Salesforce cyber attacks in 2025
• Defense in depth: why security layers must live in Salesforce
• Attack kill chain in Salesforce and how to break it
• Full feature list