More and more incidents linked to UNC6040 and ShinyHunters are being uncovered. As outlined in previous blogs, these attacks often begin with vishing, where a threat actor impersonates IT support and tricks an employee into action.
But how exactly do attackers gain access to the organization’s Salesforce environment?
Let’s walk through the process step by step.
The role of OAuth 2.0 device flow
Attackers are leveraging the OAuth 2.0 Device Flow. According to Salesforce documentation, this flow is designed for applications running on devices with limited input or display capabilities, such as Smart TVs. It is also commonly used by command-line apps like Salesforce Data Loader.
For a connected app to use Device Flow, it must be explicitly configured in the app’s OAuth settings.
Step 1. Initiating the authorization flow
To initiate the authorization flow, the connected app (for example, Salesforce Data Loader) sends a POST request to the Salesforce token endpoint:
The user is asked to enter the user_code previously generated by the token request.
Once the user enters the code, they are redirected to the Salesforce login page.
After successfully logging in, the user is presented with a screen asking them to approve the connected app’s requested permission scopes (as defined earlier in the flow).
Step 4. Attacker polls for access token
Once the user authorizes the connected app by entering the user_code and clicking Allow, the attacker begins polling the Salesforce token endpoint to check whether the authorization has been granted by sending this payload:
data = {
"grant_type": "device",
"client_id": "<consumer key>",
"code": "<device_code>"
}
grant_type: must be set to device
client_id: unique identifier of the connected app
code: previously returned device_code
Step 5. Access and refresh tokens issued
Following successful user authorization, the app begins polling the token endpoint. When the request is validated, Salesforce responds by issuing an access token and a refresh token.
access_token: OAuth token that grants API access on behalf of the user
refresh_token: used to obtain new access tokens without re-authenticating
scope: permission scope that was granted earlier (e.g., api, refresh_token)
instance_url: base URL of the user’s Salesforce org to be used for subsequent API calls
id: the Identity URL, typically in the format: https://login.salesforce.com/id/<org_id>/<user_id>
Using this Identity URL, the attacker can programmatically obtain user details such as:
Username
Email
First/last name
Timezone
User type
API endpoints
With access to this token and identity information, the attacker now has authenticated access to the user’s Salesforce org. This enables them further data access, reconnaissance, or privilege escalation depending on the user’s role and granted permissions.
The real risk of connected apps
Connected apps have become a hidden entry point in many Salesforce environments. As seen in recent UNC6040 campaigns, attackers abuse the OAuth Device Flow to trick users into granting API access with nothing more than a code and a click. These attacks don’t exploit a Salesforce vulnerability – they exploit trust, familiarity and a well-disguised prompt.
Salesforce-targeted cyber attacks are escalating
Even the biggest, best-defended companies have been hit by CRM breaches. Salesforce isn’t off-limits to attackers. Using real-world detection data, we show why putting Salesforce security on the back burner is a risk not worth taking.
To protect against OAuth Device Flow abuse in Salesforce, organizations should strengthen their connected app security and reduce unnecessary permissions. A focused approach to Salesforce security means auditing connected apps, limiting scopes, and monitoring API events for unusual activity. Combined with user training and disabling Device Flow where it’s not required, these steps help close one of the most common entry points attackers now exploit.
Audit connected apps and investigate unfamiliar ones
Revoke unused or unknown approvals
Restrict scopes to the minimum necessary
Monitor suspicious API events with Event Monitoring
Starting August 28, 2025 for new orgs and early September 2025 for existing orgs, users will need the new “Approve Uninstalled Connected Apps” permission to use any connected app that aren’t installed in the org.
Staying ahead of OAuth-based threats and malicious connected apps
The abuse of Salesforce’s OAuth Device Flow shows how attackers are shifting from technical exploits to identity and authorization scams. Organizations that treat connected apps as an afterthought are leaving doors wide open for compromise.
Alarmingly, where it concerns Salesforce, many organizations still take that gamble — assuming endpoint security will catch every threat, no matter the entry point, user, or content. It’s an outdated belief — and a dangerous one.
No modern enterprise should trust a single layer of defense — ever
Endpoint protection is necessary, but it’s the last safety net, not the first. By the time a threat reaches an endpoint, it has already bypassed your preventive controls. The smartest organizations build layered defenses with email protections, network segmentation, browser isolation, and cloud-native security for business platforms like Salesforce.
If endpoint security fails – and it can – what’s left to stop malware or phishing links already embedded inside Salesforce records or automations? In many cases, the answer is: nothing.
Email security is table stakes. Salesforce shouldn’t be treated any differently
We’ve all normalized advanced email security as essential. But somehow, the same logic isn’t applied to Salesforce security, even though the risks are real and growing.
Salesforce today is far more than a CRM. It:
Processes content from forms, APIs, chatbots, and email-to-case
Stores and shares files and URLs
Sends automated communications via workflows or even AI
Is deeply integrated across business functions
But it doesn’t natively scan files or URLs for threats.
There’s no built-in phishing or malware filtering in Salesforce. That’s a problem — especially when Salesforce is handling sensitive customer and operational data. If you wouldn’t allow malicious content into your inbox, why allow it into your Salesforce instance?
Salesforce is increasingly being exploited as an attack vector
Threat intelligence shows Salesforce is now a preferred platform for attackers. It’s used for delivery, lateral movement, and persistent access, often through workflows, community portals, or API abuse.
Our blog, Salesforce Attacks in 2025, outlines how attackers bypass traditional controls by embedding threats inside trusted processes: impersonating users, hiding malware in file uploads, or redirecting victims to phishing portals via QR codes or shortened URLs. These Salesforce attack patterns are becoming more frequent and more sophisticated.
Even with email security — Salesforce still needs its own protection
Email filters don’t apply to Salesforce content. Threats can enter through:
Web-to-case forms and public lead capture flows
Community and partner portals
Chatbots and live chat integrations
API-driven file transfers and marketing automations
Direct emails to Salesforce inboxes (e.g. email-to-case)
All of these bypass your email security stack entirely. The right question to ask isn’t just “Is our email secure?” but “What’s protecting our Salesforce environment?”
But doesn’t Salesforce already handle security?
Salesforce offers robust platform-level security, for example, MFA, access controls, audit logging, and more. But like any platform, it assumes customers will handle their content security.
Here’s what it doesn’t do:
Scan files at upload or download
Detect malware or phishing links in content
Block malicious QR codes or suspicious redirects
This is a concerning gap. Malicious files, and links may live in your environment undetected. Or worse, they may be be shared with customers or partners.
Salesforce agrees. According to the State of IT Security Report, nearly 50% of security leaders worry their data foundation isn’t ready for agentic AI, and 55% aren’t confident they have the guardrails needed to deploy AI agents securely.
If your defenses don’t cover the content inside Salesforce, your business is exposed to Salesforce data breach risks.
Aligning with the NIST Cybersecurity Framework
The NIST Cybersecurity Framework (CSF) emphasizes five core functions:
Identify. Protect. Detect. Respond. Recover.
Salesforce’s native features help with Identify and Protect via access controls and configurations, but most organizations lack coverage across Detect and Respond when it comes to phishing links, malware in files, or malicious URLs inside Salesforce.
To reach Tier 3 (Repeatable) or Tier 4 (Adaptive) maturity in the NIST CSF Implementation Tiers, organizations need proactive, real-time detection and visibility across all platforms – including Salesforce.
That’s where CRM malware protection and cloud-native Salesforce threat detection tools come in.
While it’s tempting to categorize WithSecure Cloud Protection for Salesforce under Protect – after all, it blocks malicious files and links before users interact with them – its core functional strength lies in real-time detection and containment inside Salesforce. That’s the blind spot in most enterprise security architectures: the in-platform layer, where traditional defenses like email gateways, and endpoints security tools have no visibility.
In NIST CSF terms, WithSecure Cloud Protection for Salesforce:
Bridges a critical detection gap within SaaS application content, surfacing threats that other tools never see.
Enables faster response through integrated visibility, audit trails, and analytics that support incident investigation.
Prevents threat propagation across connected users and systems once a detection occurs.
So while the solution contributes to Protect outcomes, its functional alignment is with Detect and Respond. It empowers organizations to see and stop what happens inside Salesforce, not just around it.
Why this matters: Real-world risk
In 2025, attack groups like UNC6040 have abused modified Salesforce apps to exfiltrate data and extort companies. Google’s research showed how attackers leveraged Salesforce app trust and permissions to move laterally and remain undetected — often for weeks.
The hard lesson here? What happens inside Salesforce needs its own layer of defense.
What you can do today
WithSecure Cloud Protection for Salesforce provides the missing layer, without slowing down your Salesforce instance.
Real-time scanning of files and links
Detection of phishing via QR codes, redirects, and evasive formats
Full audit trail for compliance and forensics
Coverage for both internal and external users
Native Salesforce app: no rerouting, no middleware
The solution is built for Salesforce, and it complements your endpoint, email, and network defenses, protecting what happens inside Salesforce in real-time.
Ready to secure Salesforce against malware, ransomware, phishing, and AI-driven threats?
WithSecure Cloud Protection for Salesforce: the #1 Salesforce-native security solution trusted by enterprises and public sector worldwide.
This time our threat landscape focus is on ransomware and its implications for cloud services, specifically Salesforce. With attackers increasingly targeting cloud services and public-facing apps, and a 366% increase in malicious file detections on Salesforce in Q2 2024 compared to Q2 2023, ransomware is not a threat to be taken lightly in any Salesforce security strategy.
Cyber threat landscape shifts toward cloud and SaaS exploitation
Cyber threat landscape is seeing an increased focus on the cloud. Attackers have recently leveraged legitimate file transfer and cloud services to facilitate their operations more and more. These services offer a low-key and cost-effective infrastructure which tends not to trigger security alerts as some more traditional methods might.
Symantec’s Threat Hunter Team has recently identified three new espionage operations utilizing cloud services and has uncovered additional malicious tools in development:
GoGra (Trojan.Gogra): Targets a South Asian media organization using Microsoft’s Graph API for C&C communications via email, encrypting messages with AES-256. Developed in Go, active since November 2023.
Firefly Tool: Used by the Firefly group to exfiltrate data from a Southeast Asian military organization. It searches for and uploads .jpg files (actually encrypted RARs) from System32, using Google Drive.
Trojan.Grager: Targets entities in Taiwan, Hong Kong, and Vietnam, using Microsoft’s Graph API via OneDrive for C&C. Distributed through a Trojanized 7-Zip installer, linked to the UNC5330 group.
MoonTag: A developing backdoor associated with a Chinese-speaking actor, noted for its use of the Graph API and discussed in a Google Group.
Salesforce and SaaS applications are targets of UNC3944 threat group
Salesforce and SaaS are becoming more prevalent in the threat landscape. Google Threat Intelligence has observed the activities of UNC3944, a financially motivated threat group that has been active since at least May 2022, and has recently targeted SaaS applications. Initially focused on credential harvesting and SIM swapping, UNC3944 has since shifted to primarily conducting data theft extortion, expanding their target industries and utilizing fearmongering tactics for access. They’ve adapted their methods to include theft from SaaS applications to attacker-owned cloud storage and have employed various advanced techniques to facilitate their attacks.
UNC3944 accessed Salesforce among other SaaS applications using stolen credentials facilitated by single sign-on systems. They conducted reconnaissance within these platforms, likely targeting data for exfiltration, and using third-party cloud synchronization tools like Airbyte and Fivetran to transfer data to external cloud storage.
Key Tactics, Techniques, and Procedures (TTPs) of UNC3944:
Social engineering: They have successfully manipulated corporate help desks using victims’ personal information to gain access to privileged accounts and bypass multi-factor authentication (MFA).
Abuse of SaaS permissions: UNC3944 exploited permissions in applications like Okta to broaden their access within targets’ systems, encompassing both on-premises infrastructure and cloud-based applications.
Virtual machine compromise: The group has created new virtual machines using administrative privileges obtained through SSO applications, using them for subsequent malicious activities and to bypass traditional security controls.
The use of cloud services by attackers is becoming a preferred method for maintaining stealth and managing cost-effective operations. The attackers are learning from each other, adopting successful techniques across various espionage and cybercriminal groups. Extensive coverage of cloud and SaaS environments in security strategies has never been more critical.
Disney moves away from Slack after a data breach of 1 TB – likely caused by a human error
In a major data breach, Disney experienced a significant compromise of corporate data, possibly due to vulnerabilities on an employee’s personal gaming computer. This breach led to the downloading of over 1TB of data through Slack, which resulted in the suspension of the platform for internal communications.
Our team doesn’t have the forensics data of the case, but some experts claim that the breach was not a direct result of flaws in Disney’s or Slack’s systems. Instead, it allegedly occurred because an employee inadvertently installed a malware-infected game modification. This malware, an Information Stealer, captured credentials and accessed Slack, where it exploited the employee’s compromised computer. The lack of Multi-Factor Authentication (MFA) on the password vault allowed attackers to access vast amounts of sensitive data easily.
Some experts suspect that the attackers were helped by an insider, and others that the breach was a result of a general lack of defensive mechanisms at Disney’s end.
A teenager leveraged Slack and stole details about unreleased GTA 6 from the gaming company Rockstar in 2022. The attacker was sentenced to life.
In 2023, another threat actor exploited access to Slack channels to initiate a malware attack on MGM Resorts, a major global casino and resort.
Almost half of ServiceNow KB instances leak sensitive data
A study by AppOmni revealed that over the past year nearly 45% of ServiceNow Knowledge Base (KB) instances were leaking sensitive data, including personal identifiers, internal system details, and live system credentials. The culprit of these breaches were outdated or misconfigured access controls. This is possibly due to widespread misunderstanding of KB access controls or replicating misconfigurations across instances.
Despite ServiceNow’s 2023 security updates aimed at restricting unauthenticated data access, many of these updates were ineffective for KBs, which often contain highly sensitive internal data. The company has responded by collaborating with customers so that KB access control misconfigurations are fixed.
The disruption has led to a sharp decrease in the number of victims, with reported cases falling to single digits. Despite these setbacks, there have been notable attempts to revamp their operations. For example. they have made experimental changes to their data leak sites (DLS) and updates to their DDoS protections. These maneuvers suggest a strategic recalibration aimed at evading detection and sustaining their criminal activities.
Despite significant law enforcement interventions, the Lockbit group’s ability to adapt and attempt to rebuild its infrastructure is indicative of the resilience and persistence of modern ransomware operations. These groups are quick to learn from interventions, often emerging more sophisticated and harder to combat.
Ransomware-as-a-Service is the business model of cyber crime in 2024
The disruption on major ransomware groups has led to a reshuffling of ransomware affiliates, gravitating towards established Ransomware-as-a-Service (RaaS) networks. RaaS is a subscription-based model that enables affiliates to use pre-developed ransomware tools to execute cyberattacks. Similar to software-as-a-service (SaaS) offerings, RaaS providers offer their malicious software on a rental or commission basis, providing updates and support.
All in all, the professionalization of ransomware operations through RaaS models presents new challenges for cybersecurity defenses. These models facilitate a lower barrier to entry for inexperienced cybercriminals and enable rapid scaling of operations. The attraction of RaaS platforms has flooded in new ransomware variants, correspondingly calling for layered defense strategies.
New threats on the block: new groups form as old dismantle
Our research team has also witnessed the rise of new players such as Cicada3301, SenSayQ, and WikiLeaksV2. Each group has demonstrated distinct patterns of targeting and victimology, such as targeting financial software companies and leaking sensitive health sector data. With this in mind, these emerging groups underscore the dynamic nature of the ransomware ecosystem. They continually evolve with new tactics and targets.
The group dynamics are in a constant flux. For example, from the total number of 67 operational ransomware groups our research team has tracked in 2023, 31 have not been operational in Q2 2024. Our team has seen 31 new ransomware groups in 2024. It’s unlikely that many, if any of these projects will survive.
RansomHub’s fast advancement and aggressive affiliate strategy
RansomHub, a new extortion platform operational since early 2024 and believed to be based in Russia, has quickly established itself by offering lucrative terms to affiliates, significantly impacting the ransomware affiliate market. RansomHub is disrupting the RaaS field by letting affiliates accept payment from the victims directly, before sending their share to the RansomHub. What’s more, by allowing affiliates to keep a major portion of the ransom and only taking a small commission, RansomHub has managed to attract experienced groups like ScatteredSpider and members of Lockbit.
RansomHub’s operational capacity, threat level and the number of victims have consequently increased. According to our research team, RansomHub is in fact currently the most active platform observed in the field. In the same fashion, ZeroFox accounts the platform to be responsible for 14.2 % of all cyber attacks in Q3 2024. The majority of victims are in North America (39.4%) and Europe (34.3%). Victims are across diverse sectors, for example manufacturing, retail, healthcare, technology.
At the same time, CISA, along with the FBI, MS-ISAC, and HHS, issued a joint Cybersecurity Advisory on RansomHub Ransomware. This advisory offers network defenders key details such as indicators of compromise (IOCs), tactics, techniques and procedures (TTPs) tied to RansomHub, drawing on findings from recent FBI investigations and third-party reports.
RansomHub has been using sophisticated EDR-killing executable tooling. It disables endpoint detection and response (EDR) software and gains escalated privileges on compromised devices, while designed to bypass several common anti-malware tools. The malware has been found in many formats such as EXEs and PowerShell scripts.
Real-life impacts of ransomware fallouts
Financially driven ransomware attacks can have notoriously severe impacts on victims. Overall, our research team has found that ransom payments and incidents remain higher in the first half of 2024 compared to previous years.
Dark Angels behind a record ransom payment
In early 2024, Zscaler and Chainalysis detected a monumental ransom payment of $75 million directed to a cryptocurrency wallet managed by the Dark Angels ransomware group. The identification of the victim was not disclosed as per standard reporting practices, but it is strongly suggested that the payor was Cencora, a Fortune 50 pharmaceutical company. Why so? Cencora publicly acknowledged a ransomware attack and data theft in February 2024, making them a probable candidate. The company, valued at $10 billion with annual revenues reaching $262 billion in 2023, found the payment necessary to restore operations and prevent further data leaks.
Further investigations reveal that the attack’s ramifications extended beyond Cencora. The company, along with at least two of its subsidiaries, reported stolen data to regulators, implicating a broader network of affected entities. In May, additional disclosures indicated that the data breach had impacted numerous major pharmaceutical companies including Pfizer, Bayer and Novartis, among others. These partners also experienced breaches connected to Cencora’s compromised systems, specifically through the Lash group subsidiary.
The sizable ransom from this single incident highlights Dank Angels’ impact. The strategy employed by Dark Angels suggests a focus on high-value targets – often termed “big game hunting” – which involves fewer, highly profitable attacks rather than numerous smaller-scale ones. It’s difficult to say whether Dark Angels have an intentional strategy of big game hunting, or if they just got lucky.
There were no major outages or operational disruptions reported (at least so far). However, the widespread effects of this attack, involving a network of companies with a combined revenue in the trillions, illustrate the extensive potential for damage and disruption caused by ransomware operations targeting major players in critical industries.
Japanese media giant’s market value plummets in the ransomware attack aftermath
Another example, the ransomware strike on Japanese media company Kadokawa Corporation served as a stark reminder of the broad and enduring impacts such attacks can have on businesses. The assault not only disrupted daily operations but also inflicted severe financial and reputational damage. Prior to the attack in early June, Kadokawa’s market value stood at approximately JP¥465 billion (USD$3 billion). Following the incident, its share price plummeted by 15%. Subsequently, this erased JP¥70 billion (USD$500 million) from its market capitalization. This significant drop in share price, which appears solely attributed to the ransomware attack, underscores the high stakes of cybersecurity in protecting not just operational capabilities but also financial stability and public perception.
Public health at stake
The National Health Laboratory Service (NHLS) of South Africa suffered a ransomware attack on June 22nd. The attack continued to disrupt services into July. This attack has been particularly critical as it hindered access to laboratory test results amid an outbreak of mpox disease. This incident demonstrates how significantly ransomware impacts public health and safety of citizens globally.
To pay or not to pay
Ransomware groups often aim to build trust with victims by promising data recovery upon ransom payment, giving false hopes that this will restore normal operations. Ransomware operators often brand themselves as ‘pentesters’ with the intention to appear professional and reassure victims about data deletion and decryption.
Despite this, the majority of organizations paying ransoms suffer subsequent attacks, often facing even higher demands than before. Cybereason reaserch claims that percentage of victims facing a second attack is as high as 78%.
Ransomware operators are unreliable and their assurances of not targeting victims again should not be trusted. Therefore, paying a ransom based on trust in these actors is not advisable. Acknowledging research that quantifies the deceitfulness of ransomware actors is crucial, as it together with prohibiting legislation significantly influences the ransomware landscape.
Salesforce security implications of the current threat landscape
The emergence of new ransomware groups and the evolving tactics suggest that Salesforce environments are likely to be increasingly targeted as an alternative to traditional and easier to detect vectors. In fact, we’ve detected a 366% increase in malicious files on Salesforce in Q2 2024 compared to Q2 2023.
For Salesforce, it’s important to stay vigilant against ransomware campaigns that leverage Salesforce as a channel for malware delivery or social engineering tactics to lure users to phishing sites. Besides human errors, novel campaigns can target vulnerabilities in cloud environments or through third-party integrations.
Salesforce security recommendations simply put
Constantly transforming threats require a layered and proactive approach to cybersecurity. No silver bullets. Because of that, we’ve compiled a comprehensive list of Salesforce security recommendations in light of recent cyber crime developments:
Auditing: Activate comprehensive auditing that covers cloud environments including Salesforce to identify and patch security gaps.
AntiVirus: Threat protection such as WithSecure™ Cloud Protection for Salesforce solutions at the entry-point such as Salesforce together with endpoint security will block the majority of file-based ransomware threats. Make sure that the solution has up-to-date threat intelligence source.
Employee training and awareness: Social engineering remains a significant threat vector. Training Salesforce users to recognize phishing attempts and other social engineering tactics is critical.
AntiPhishing: By implementing an antiphishing solution on Salesforce level, you can automatically stop phishing attacks. It’s important to go beyond traditional attack vectors like email.
Strengthened access controls: Enforce strict conditional access to mitigate credential compromise. Salesforce environments should adopt the principle of least privilege. Routinely audit permissions.
Third-party risk management: As Salesforce often integrates with numerous third-party applications, ensuring these connections are secure is essential to prevent ransomware spread or data leaks. You should choose security tools based on integration simplicity, preferring native solutions.
Data management policies: The revelation that Lockbit held onto data it claimed to have deleted is a crucial reminder of the risks involved in data handling and storage. You should implement robust data encryption, regular audits, and follow strict data handling and deletion protocols to minimize potential damage.
Limit BYOD: The breach of Disney’s Slack data resulted from a malware infection on an employee’s personal device – a reminder to limit allowing personal devices into corporate systems.
Extortion preparation and response: You should include Salesforce in incident response strategies. This means close collaboration between security and Salesforce teams, having secure and tested Salesforce backups and a clear communication plan for dealing with ransom demands.
