Salesforce security Archives - Page 2 of 3 - Cloud Protection for Salesforce by WithSecure™

Your business doesn’t just run in the cloud — it depends on it.

For years, cybersecurity strategies revolved around the corporate network and the devices inside it. Firewalls, antivirus tools, and endpoint detection formed the first line of defense. But business has changed. Today, the most valuable data — and the biggest vulnerabilities — are no longer at the network’s edge. They’re in the cloud.

Adopting a cloud-first security strategy is no longer optional. Cloud platforms aren’t just productivity tools anymore — they’ve become the operational core of most organizations. For many enterprises, that means Salesforce. As the world’s leading CRM, it doesn’t just manage customer data — it connects with ERP, marketing, analytics, and AI-driven workflows. That reach makes Salesforce both indispensable — and highly attractive to attackers.

Customer data, contracts, and intellectual property all live there, which makes security in SaaS environments a matter of business resilience. When protection isn’t prioritized where this data resides, the risk isn’t just technical — it’s strategic.

Why cloud-first security starts with your core platforms

Customer records, transactions, contracts, intellectual property — for many organizations, all of it is now hosted in cloud services. That’s exactly why attackers are aiming there. Compromise a cloud environment and you’ve gained a direct route into the business.

When that happens, the damage extends far beyond the breach itself. Trust, regulatory standing, and day-to-day operations can all take a hit.

Always-on environments demand always-on protection

Cloud systems never “clock off.” They’re accessible around the clock from anywhere in the world — great for productivity, but equally attractive to cybercriminals.
- Phishing attacks targeting CRM logins can enable long-term, stealthy access.
- Weak or unmonitored API connections can be exploited within minutes to pull or inject malicious data.
- Integrations without proper oversight can become silent entry points for malware.
In a world where you can’t shut the front door, detection and response must be constant.

Persistent targets, persistent risks

Endpoints change constantly — laptops get replaced, phones get upgraded, and bring-your-own-device policies add churn. But your cloud data environment is different: it’s fixed, highly valuable, and accessible.

In Salesforce, that persistence is even greater: overprivileged accounts, shadow access, and unmonitored integrations create openings that attackers can exploit. Once inside, they can extract sensitive records, manipulate workflows, or spread malicious files across partners and customers.

Upon getting access, attackers can:
- Extract sensitive information
- Manipulate workflows
- Spread malicious files to employees, partners, or customers
This persistence is exactly why security strategies must address persistent cloud threats that don’t disappear when a device is replaced.

The cost of catching threats too late

It’s almost always cheaper to stop a threat at the point of entry than to contain it after the fact. In cloud environments, once a malicious file is in place, it can be:
- Downloaded and executed locally
- Shared across supply chain partners or customers
- Synced into ERP, marketing, or analytics systems
By then, remediation is about more than technology — it involves compliance reporting, legal obligations, and reputational repair. Investing in cloud malware protection prevents these files from ever reaching end users or connected systems.

A shared responsibility you can’t outsource

Even with the most secure infrastructure, responsibility for what enters and moves through a cloud service sits with the customer – this is the essence of the shared responsibility model in cloud security. Salesforce secures the platform, but customers remain responsible for securing the data and workflows inside it. That includes files uploaded to cases, links shared in Chatter, or third-party app integrations that can deliver hidden threats. Without in-cloud scanning, these risks often go undetected until it’s too late.

Threats can arrive via:
- User uploads
- Third-party apps
- API integrations
- Links stored inside records or collaboration threads
Dormant malware — from PDFs with hidden code to malicious URLs — can sit unnoticed until the moment they’re triggered. In highly connected environments, one file can quickly become everyone’s problem.

A real-world example

In 2024, a retail brand discovered malware in its customer portal, embedded in PDF invoices uploaded through a cloud platform. Because the files were never scanned in the cloud, they were downloaded directly by finance staff, compromising multiple devices. The response required a portal shutdown, weeks of remediation, and a compliance review. It was a clear reminder that endpoint defenses alone aren’t enough. Incidents like this highlight the need for Salesforce-native protection that blocks threats before they reach users.

The Salesforce State of IT Security Report surveyed over 4,000 IT leaders worldwide, including more than 2,000 security specialists. Key findings included:
- Security budgets are rising, with 75% of organizations planning increases.
- Cloud security threats now rank alongside phishing and data poisoning as top concerns.
- AI is both a tool and a risk, with 80% viewing it as transformative but difficult to govern.
- Governance gaps persist, with nearly half lacking the infrastructure for safe AI adoption.
The takeaway: a cloud-first security strategy isn’t just about protecting “the cloud” in general. It’s about protecting your most business-critical SaaS environments — starting with Salesforce. By detecting and blocking threats in real time, you reduce remediation costs, preserve trust, and ensure resilience where it matters most.

Why a cloud-first approach works

By focusing protection where your most critical data actually resides, you:
- Block threats before they spread
- Reduce the cost and impact of remediation
- Minimize downtime and operational disruption
- Preserve the trust of customers and partners
With in-cloud threat detection, attacks can be stopped before they spread to endpoints or other systems. A cloud-first security strategy isn’t about abandoning traditional defenses — it’s about aligning them with the way business works today.
As Salesforce’s State of IT: Security report notes, security leaders today are walking a tightrope — balancing the drive for AI-powered innovation with the need to defend against threats like ransomware, data poisoning, and insider misuse.

It’s a balance that’s easily upset by one of the most overlooked risks in Salesforce: shadow access and overprivileged users.

In recent years, many Salesforce security incidents haven’t come from cutting-edge exploits or elite hackers, but from something far more mundane — too much access in the wrong hands.

Salesforce has become the nerve center for customer data and business operations. But in too many organizations, that nerve center is left exposed — not through a zero-day exploit, but through outdated, excessive, or forgotten permissions that linger long after they’re needed. This “permission creep” isn’t just an admin headache; in today’s AI-powered CRM environment, it’s a breach waiting to happen.

The hidden cost of convenience: how overprivilege creeps in

Most Salesforce environments weren’t built with long-term access hygiene in mind. What starts as a “temporary” permission set for a project often sticks around indefinitely. Roles accumulate access as users shift teams. Contractors are never fully deprovisioned. And when AI agents are introduced — acting on behalf of human users — things get even messier.

Over time, this leads to access sprawl: a tangle of profiles, permission sets, and forgotten users that grants far more power than anyone realizes.

The problem? These accounts — often long-tenured, inactive, or hybrid roles — don’t raise red flags. But they’re exactly what attackers look for when probing Salesforce environments.

Real-world risks: when access becomes an attack vector

We’ve seen it play out:
- A former employee’s integration user is still active — and it gets hijacked to exfiltrate sensitive pricing data.
- A sales exec’s account, with admin-lite permissions, is compromised — and used to modify sharing rules across multiple regions.
- A third-party chatbot with broad visibility is exploited to surface customer support cases it was never meant to see.
These aren’t hypothetical scenarios. They’re signs of shadow access — permission granted, then forgotten, until someone else finds a use for it.

Here’s one real-world sequence:
1. A contractor’s Salesforce login with “temporary” full object access was never deactivated.
2. Their credentials were stolen through a password reuse attack.
3. The attacker used API queries to extract thousands of customer records — unnoticed for nearly 90 days.
Why AI makes this problem worse

Agentforce-style automations are game-changers — but they amplify the dangers of poor access governance. We’ve already explored how AI agents can become high-speed threat vectors. Here, the issue is compounded: AI agents act within the boundaries of the user permissions they’re assigned.

If those permissions are overly broad, your AI can unintentionally become a supercharged threat actor:
- Auto-generating reports with sensitive internal data
- Making changes to records it was never meant to touch
- Surfacing content via public-facing Experience Cloud pages
In short: bad access equals bad AI behavior — and the damage can scale fast.

How to audit and reduce shadow access in Salesforce

Cleaning up overprivileged users isn’t glamorous, but it’s one of the most effective ways to reduce your blast radius. Salesforce’s own best practices recommend a least-privilege model — granting only the minimum access needed for each role — and using tools like the User Access & Permissions Assistant to review, adjust, and revoke access as needed.

Here’s where to start:
- Inventory active users: Identify all active accounts and compare against current HR and contractor records.
- Map permissions to roles: Ensure every permission set aligns with actual job functions — not legacy assumptions.
- Monitor dormant access: Flag accounts with login inactivity over 30–60 days for review or deactivation.
- Segment AI agents: Create narrow-scoped, clearly defined roles for AI-driven integrations or bots.
- Review sharing rules regularly: Make sure they reflect today’s business needs, not last year’s org chart.
- Monitor Connected Apps: Regularly review OAuth scopes and remove unused or over-permissive apps.
- Use Permission Set Groups wisely: Avoid stacking permissions in ways that create hidden privilege escalation.
- Deactivate stale permission sets: Remove unused sets to reduce accidental assignments.
Shadow access is the new insider threat

In the age of AI-enhanced CRMs, overprivileged users aren’t just a governance concern — they’re an open door to misuse, misconfiguration, and malicious exploitation.

Salesforce provides robust native tools for role, permission, and access management — but the responsibility for using them effectively rests with you. Staying vigilant, enforcing least privilege, and regularly reviewing access is one of the simplest, most cost-effective ways to shrink your attack surface.

Because the biggest risk isn’t what attackers can break into — it’s what you’ve already given them the keys to.
Why understanding Salesforce security is important

Salesforce is a powerhouse in CRM solutions, delivering a wide range of digital experiences to its users. Its widespread adoption across industries – including critical enterprises and governmental agencies – makes it a prime repository of high-value data. That goldmine inevitably draws the attention of financially motivated cybercriminals, who are no longer limiting themselves to traditional entry points like email. If the world’s most secure organizations can be breached through Salesforce, you should not overlook Salesforce in your security strategy.

Shared responsibility model sets the rules in Salesforce data security

Salesforce’s security framework is based on a shared responsibility model. This model defines the security obligations between Salesforce and its users. While Salesforce provides a highly secure cloud infrastructure with plenty of security controls, users are responsible for configuring these settings and mitigating external risks to protect their data effectively. This collaborative approach ensures that every layer of potential vulnerability can be addressed by the correct roles.

Salesforce-targeted cyber attacks are escalating

The latest CRM breaches prove no one is immune – and it’s not just the sensitive data that hackers are after. Our latest blog unpacks the 2025 threat landscape, the attacker tactics targeting Salesforce, and what you can do right now to stay ahead.

Read the full threat landscape breakdown

Multiple levels of Salesforce data security measures

Understanding Salesforce’s comprehensive security setup is crucial for effective data protection. Salesforce structures its security model into four levels to streamline administration and ensure thorough protection:
1. Organizational level security: This primary security level involves basic access controls like setting trusted IP ranges and defining login hours to prevent unauthorized access.
2. Object level security: At this level, administrators control access to various data sets or “objects” within Salesforce, which can be likened to tables in a database. Modern best practices recommend using Permission Sets for flexible and scalable access management.
3. Field level security: This allows admins to control access to specific fields within an object, ensuring users see only the data essential to their role.
4. Record level security: This level controls access to individual records within an object. Salesforce offers several methods to fine-tune record visibility and sharing settings, enhancing collaboration without compromising security.
Organizational level security

At the foundational level, organizational security involves securing access to your Salesforce system. This includes setting up restrictions such as trusted IP ranges from which users can log in—accessible via the Login IP Ranges section of a user’s profile. Additionally, Login Hours can be specified to limit user access to predefined times.

To bolster organizational security, Salesforce administrators should enforce strong password policies and consider integrating advanced security solutions like Salesforce Shield and WithSecure’s Cloud Protection for Salesforce.

Object level security

In Salesforce, an object is akin to a database table and houses data sets relevant to specific business functions. Historically, object access was controlled directly through user profiles. However, Salesforce now advises utilizing Permission Sets and Permission Set Groups for this purpose. This approach allows streamlined access management aligned with users’ roles.

Field level security

Field level security pertains to the access controls at the individual field within an object, similar to columns in a spreadsheet. This setup ensures that access to sensitive fields can be tightly controlled and varied between different users, depending on their job requirements. Administrators can configure these settings directly in user profiles or more dynamically through Permission Sets.

Record level security

Record level deals with access to individual entries within an object. Salesforce offers several mechanisms to manage this, such as:
1. Organization-wide defaults: Set baseline access levels for all records within the organization.
2. Role hierarchy: Enables users higher in the hierarchy to access records below them.
3. Sharing rules and manual sharing: Facilitate lateral sharing within teams or direct sharing for specific records, ensuring collaboration without compromising security.
External access and advanced cyber security measures on Salesforce

While internal user permissions and sharing rules are critical, Salesforce administrators must also safeguard against external threats. These threats can arise from interactions with Salesforce solutions like Salesforce Experience Cloud, or through third-party applications connected via APIs. Salesforce allows the enforcement of permissions for APIs and apps similarly to internal user settings. It’s crucial to configure these permissions with the strictest settings possible to minimize vulnerabilities and prevent unauthorized access.

Endpoint security has no control over Salesforce risks

Understand why security tools outside the platform are not enough

Learn more

Keep your data safe with Salesforce Shield and WithSecure Cloud Protection for Salesforce

Even the most robust endpoint security strategies cannot guarantee complete immunity from sophisticated cyber threats. Criminals targeting your organization might mimic legitimate access – also on Salesforce. Salesforce Shield plays a pivotal role here by enhancing file encryption, adding a critical layer of security for data uploaded to the cloud, making it more resistant to unauthorized exploitation.

WithSecure Cloud Protection for Salesforce takes security against external threats a step further by providing real-time defense against viruses, malware, ransomware, and phishing threats. It scans all content from files to URLs as it is uploaded to Salesforce, both at the time of upload and whenever a user interacts with the content. This proactive approach not only detects and blocks known threats such as commodity malware, but also uses advanced behavioral analysis to thwart zero-day attacks and emerging threats.

Last piece of advice: secure every access point

For enterprises utilizing Salesforce, protecting every point of access and every point of data interaction – both internal and external – is critical. WithSecure Cloud Protection for Salesforce complements Salesforce’s built-in capabilities and tools like Salesforce Shield by offering an additional layer of real-time, proactive protection, ensuring your Salesforce environment remains secure against advanced cyber threats. This dual approach fortifies your cloud data against both conventional risks and sophisticated cyber attacks, whether they are coming through a customer support email, web form or your community portal. Your end-users are secured whether they use a laptop or a mobile device.

Salesforce security has never been more critical

We’re seeing a surge in Salesforce-targeted threats with our detection telemetry, and recent high-profile breaches tell the same story. If world-leading enterprises with top-tier defenses can be breached, treating Salesforce security as an afterthought is a gamble not worth taking.

Dig deeper into the current Salesforce threat landscape

Understand why and how attackers target Salesforce

Learn more
When mobile reps became an unexpected attack vector, a leading manufacturing firm needed help to close the gap.

When most people think about Salesforce security, they focus on access controls, user permissions, or app integrations. But in industries like manufacturing, the real risks often hide inside the workflows themselves.

One of our largest customers operates across multiple industrial and construction sites. Their Salesforce environment is a critical system, used daily by hundreds of mobile field reps visiting construction zones, factories, and customer facilities. These reps use Salesforce on tablets or phones (often personal or temporary work-issued devices) to:
- Upload site photos and equipment images
- Send and receive customer agreements
- Share inspection documents
- Communicate with internal teams
This is exactly what Salesforce Field Service is built for: fast, flexible, on-the-ground engagement. And with Salesforce Agentforce introducing generative AI features, productivity is only accelerating. But so is the attack surface.

The hidden threat: Files from the field

This customer’s security team didn’t come to us looking for a Salesforce plugin. Their concern began with one simple, urgent question:

“How do we make sure files coming in from the field aren’t putting us at risk?”

Under the Shared Responsibility Model, Salesforce secures its infrastructure, but ensuring uploaded files are safe is up to the customer. And that’s where things got risky. The reps were uploading more than just notes. We’re talking about:
- PDFs and Excel files
- CAD drawings
- Scanned contracts
- High-resolution images and videos
Many of these uploads came from unmanaged, personally owned, or third-party devices with unknown security standards. Once in Salesforce, those files were shared across legal, procurement, and other departments—making it easy for malware to propagate silently through the organization.

From pain point to protection

Rather than jumping to a product pitch, we started by mapping the real-world risks:
- Mobile reps using unmanaged or temporary devices
- A daily flow of rich, unverified content into Salesforce
- No visibility into file safety at the point of entry
- Agentforce likely increasing this content stream
- Internal risk from lateral movement of threats
The solution? A native security layer inside Salesforce itself.

By scanning every file upload and download in real time—within the Salesforce environment—they were able to:
- Close the file security gap without slowing reps down
- Extend protection to devices outside IT’s control
- Support audit and compliance even with third-party contributors
Best of all, the fix didn’t disrupt the workflow. Reps kept using Salesforce as usual. No new apps. No retraining. Just fast, invisible protection—average scan time under a second.

Why this matters for manufacturing

This isn’t just one company’s story. We’re seeing the same challenge across manufacturing, logistics, and construction—anywhere mobile or contract-based workforces rely on Salesforce. These environments often involve:
- Temporary labor and outsourced contractors
- Mobile uploads from remote job sites
- Complex document workflows spanning departments
Unchecked, these uploads can bypass traditional perimeter defenses. That’s why embedding security inside Salesforce—where the files actually land—is essential.

Bigger than one customer

Sometimes, the vulnerability isn’t in the code. It’s in how legitimate users interact with powerful tools. A mobile workforce, doing their job, can unintentionally open doors to attack. That’s why security has to follow the workflow—not the other way around.

In this case, that mindset led to one of our most impactful deployments—and a safer, smarter way to support sales teams in the field.

Curious if something similar is happening in your Salesforce environment?

Find out more on our solutions page
ABC News Australia, a national broadcaster, recently revealed a large-scale malware operation that stole credentials from employees and customers of several top-tier Australian banks.

While this breach did not involve Salesforce directly, the methods used should raise red flags for any organization relying on cloud-based platforms like it. Credential theft and session hijacking—whether targeting banking portals, CRM systems, or collaboration tools—are part of a broader trend in cybercrime that exploits the weakest link: end users.

If Salesforce is your organization’s central hub for customer interactions, service, or internal operations, this kind of attack offers a clear warning. It’s not about whether your platform was the entry point—it’s about how easily attackers can pivot into cloud environments using valid credentials.

What the credential theft malware attack revealed

The malware campaign, believed to be operated out of Eastern Europe, compromised over 60,000 devices in Australia, including thousands of employee and customer endpoints linked to major financial institutions.

Key facts:
- Malware captured login credentials, cookies, and session tokens.
- At least 250 employee devices from major banks were affected.
- Customer banking credentials and multi-factor authentication bypass data were harvested.
- The stolen information was sold on dark web marketplaces, ready to be used for account takeovers, phishing campaigns, and lateral movement into connected platforms.
Why Salesforce security is at risk from credential theft

Even though this wasn’t explicitly a Salesforce-linked attack, and if your organization wasn’t directly impacted, there are some key lessons here for those responsible for securing Salesforce environments:

Your users are the new attack surface.

This campaign didn’t exploit system vulnerabilities—it targeted individual users. When attackers obtain valid login details, especially those that can bypass security checks, they can gain access to cloud platforms like Salesforce with little resistance. This breach involving stolen Jira credentials shows just how easily attackers can pivot into connected platforms like Salesforce using legitimate access.

Credential dumps enable targeted phishing and impersonation.

Once user data is exposed, attackers often move quickly—crafting convincing messages, impersonating employees, and targeting systems that trust those identities.

Think it couldn’t happen in Salesforce? think again

Salesforce is one of the most trusted enterprise platforms in the world; however, like any cloud service, it operates on a shared responsibility model. Salesforce secures the infrastructure, while you are responsible for your data, users, and access controls.
- Malware on an endpoint device, such as on a user’s laptop, can still compromise Salesforce session tokens or browser credentials.
- API integrations and third-party apps can be exploited if access controls are too permissive.
- Threats such as phishing links and harmful file uploads can still bypass native protections, particularly in tools like Salesforce Experience, Service Cloud, or Email-to-Case, Web-tO-case, real-time Agentforce conversations, and messaging solutions connected to Salesforce.
How to strengthen Salesforce security against credential-based attacks

This incident is a wake-up call for organizations relying on Salesforce. Fortunately, you can take practical steps now to reduce your exposure.

Harden access and session controls
- Watch for unusual login patterns—even those from recognised users.
- Apply the principle of least privilege to user roles and access.
Inspect what your users upload or click
- Malicious attachments and phishing links can be injected into Salesforce records.
- Native platform defenses don’t always catch modern threats – use advanced scanning tools that analyze content in real time.
Protect beyond the login screen
- Threat actors don’t need to “break in” when they can walk in with valid credentials.
- Invest in behavior-based threat detection to spot suspicious activity inside the platform.
- Identity Protection tools will help you quickly identify users with stolen credentials and take action.
Why endpoint security isn’t enough for Salesforce protection

As this breach shows, once an attacker has valid credentials or hijacks a session, traditional defences often fall short, especially when malicious content is introduced after login, via uploads, links, or third-party integrations.

To reduce risk within Salesforce, security controls must extend beyond the perimeter. They need to work inside the platform—scanning for threats, detecting unusual activity, and protecting the areas where attackers are most likely to strike.

Importantly, these protections must function within the Salesforce environment, not merely at the perimeter or endpoint. Many security strategies overlook this gap, where risk quietly accumulates.

Malware doesn’t stop at endpoints – and neither should your security. When attackers access credentials and session data, any cloud service in your stack, including Salesforce, becomes a target. The recent breach should be a stark reminder: you can’t afford to treat Salesforce security as an afterthought.

This latest breach is a reminder: the threat is already in motion. The question is—how prepared are you?
Let’s talk about something that matters to everyone using Salesforce – security. Not the dry, technical stuff (though we’ll touch on that), but the real-world implications of how we protect data in Salesforce today.

Remember when Salesforce first showed up 25+ years ago? They weren’t just selling software—they were asking businesses to do something radical: “Hey, trust us with your customer data on this internet thing.” Pretty bold ask back then!

That fundamental need for trust hasn’t changed. If anything, it’s become more critical as more of our business lives move to the cloud. Ensure you are deploying only enterprise-grade and certified solutions.

Navigating the regulatory maze

The regulatory landscape has gotten… complicated, to put it mildly. While there aren’t many cloud-specific regulations, we’re all feeling the impact of GDPR, CCPA, Australia’s Privacy Act, and similar laws worldwide.

What’s interesting is how these regulations are actually driving innovation. Cloud providers are constantly evolving their offerings to meet higher standards, from data residency options to local data centers to better cross-border transfer solutions.

Also, make sure your cybersecurity vendor is certified with excellence by the ones that matter, like ISO27001 and ISAE300 Type 2 (SOC2 Type 2).

Being resilient when (not if) things go wrong

Let’s be real—cyber incidents will happen. The question isn’t if, but when. That’s why cyber resilience matters so much.

Being resilient means you can keep your business running even when facing cyber problems. It’s about preparing beforehand, detecting issues quickly, responding effectively, recovering smoothly, and adapting for next time.

And make sure your cyber security solutions provide full visibility of the content activity within your cloud solutions – without that you are flying blind when the proverbial hits the fan.

Who’s responsible for what? The cloud security dance

One of the biggest misunderstandings in cloud security is who handles what. It’s a partnership, not a handoff:
- Salesforce handles the security OF the cloud (infrastructure, data centers, platform security)
- You handle security IN the cloud (user access, configurations, data, malware, and phishing protection)
The problem? Many organizations think moving to the cloud means transferring all security responsibilities to the provider. Not true! And this misunderstanding creates dangerous security gaps.

Even more frustrating, many organizations aren’t using the security features they’re already paying for. Tools like event monitoring, encryption options, malware and phishing scanning options, and log analysis often sit unused.

AI: Double-edged sword

AI is changing everything in the security world. On one hand, it’s giving security teams superpowers—helping them detect threats faster, respond more accurately, and cover more ground with fewer people. And cyber security companies like us have only expanded the usage of AI since we started automated analysis in 2006.

But there’s a flip side:
- AI can amplify biases from training data
- Data privacy becomes trickier when large datasets are involved
- Attackers can fool AI systems with adversarial techniques
- Deepfakes make verification harder than ever
- Ethical questions emerge when AI makes important decisions
The key is finding the balance—leveraging AI’s benefits while carefully managing these risks.

Different industries, different challenges

If you’re in financial services, healthcare, or the public sector, you know the compliance burden is especially heavy. Each region has its own requirements, too—Australia has IRAP, the US has FedRAMP, Germany has C5, and Japan has ISMAP.

Interestingly, these highly regulated industries also see more “shadow AI” use, where employees bypass official channels to use productivity-enhancing AI tools. This highlights why clear policies and education are so important.

Getting CRM and security teams on the same page

Here’s something that happens all too often: CRM teams plan and implement Salesforce without bringing security experts in early enough. By the time security gets involved, major decisions are already locked in.

The better approach? Involve security from day one of planning. Help them understand what data you’re storing, what business processes you’re supporting, how your community is interacting, and how everything connects.

This partnership approach builds security in from the start rather than bolting it on later. Typically, when you open your Salesforce to external communities, the threat level jumps through the roof.

What this all means for you

The bottom line is that securing Salesforce today requires understanding that it’s a shared responsibility. It means being prepared for incidents rather than just trying to prevent them. And it requires thoughtful governance around new technologies like AI.

The organizations that get this right aren’t necessarily the ones spending the most money. They’re the ones fostering collaboration between business, security teams, and cybersecurity vendors, making full use of existing security features, and staying adaptable as the landscape continues to evolve.

What security challenges are you facing with your Salesforce implementation? The conversation is just beginning.

Take a look at the fireside chat I had with Chetan Sansare, Senior Director Security and Regulatory Compliance APAC and Gayan Benedict, CTO (ANZ), Salesforce for an even deeper dive.
Let’s be clear – when Salesforce becomes your digital front door, your responsibility doesn’t end at deployment. That’s where it begins.

The security responsibility is yours (and Salesforce’s)

There’s a persistent myth: “Salesforce handles all the security stuff.” This isn’t the case.

Yes, Salesforce provides world-class infrastructure – the data centers, the failover systems, the platform fundamentals. But everything inside your org? The users, custom apps, and most importantly, your data? That’s entirely your responsibility.

If someone uploads malicious content or a team member accidentally nukes a critical dataset, Salesforce isn’t swooping in to save the day. You need your own safety nets.

That’s exactly why we created WithSecure Cloud Protection for Salesforce back in 2015. We couldn’t find a native solution to scan incoming files and URLs from Experience Cloud users, so we built one ourselves. Today, hundreds of organizations rely on it for real-time protection.

The hidden danger: unstructured data

One of the biggest blind spots is unstructured data – all those files, images, and links coming in through portals, forms, chat interfaces, and partner connections. These are malware superhighways.

Agentforce only amplifies this risk. It’s designed to respond quickly by drawing from multiple data sources. If that data isn’t properly scanned and secured, you’re essentially building a high-speed highway to your most sensitive information.

Our solution scans files and links in under a second, and that timing matters. Agentforce needs to respond in about 1.5 seconds to meet user expectations. If your security can’t keep pace, it becomes either a bottleneck or something teams will work around (which is even worse).

Backup isn’t enough (but It’s a start)

Let’s talk about what actually happens when things go wrong. In my experience, data loss rarely comes from dramatic hacks. It’s usually something mundane: a cleanup job gone sideways, a picklist error, or a field mismatch that cascades across thousands of records.

When that happens, you need more than just a backup – you need precision recovery. You need to know exactly what changed, what needs fixing, and which data is valid.

And as your org grows? Performance starts to suffer. Reports crawl, dashboards lag, and users can’t find what they need. That’s where strategic archiving becomes crucial – keeping your Salesforce instance lean and responsive while preserving historical context that your AI tools need to function effectively.

AI doesn’t have a conscience

Here’s something that keeps me up at night: AI models will happily process whatever data they’re given, including highly regulated or sensitive information. They don’t know any better.

It’s up to us to control what these models see and don’t see. That means implementing data masking, tokenization, and encryption before data even enters the AI pipeline. At WithSecure, we partner with companies like Odaseva to ensure sensitive information stays encrypted end-to-end, never exposed, not even during processing.

This way, you get the intelligence without the regulatory nightmares.

The missing link: collaboration

Want to know a common vulnerability I encounter? It’s not technical – it’s organizational. Salesforce admins and cybersecurity teams simply aren’t talking to each other.

When they do collaborate, magic happens. Risk decreases. Deployment speed increases. Compliance becomes manageable rather than painful.

The best results come when these teams work as one unit – building policies together, selecting tools together, and responding to incidents with a unified approach. Security isn’t a solo act – it’s the ultimate team sport.

What you should do today

If you’re expanding your Salesforce footprint or implementing Agentforce, here’s my practical advice:

Know what’s lurking in your org – If you’ve used Salesforce for years, there’s likely already malware sitting quietly in old files or attachments. A comprehensive scan can identify and remove these threats.

Reassess risk whenever anything changes – New user groups? New data types? New features? Each one brings potential vulnerabilities. Don’t wait for something to break.

Watch those chat interfaces – Agentforce increasingly operates across WhatsApp, Messenger, websites, and more. These are high-risk entry points where unstructured data flows fast and often unfiltered.

Test your recovery plan – Don’t just have backups; run simulations. Test restoration. Create response playbooks. When something goes wrong, you want muscle memory, not panic.

The bottom line

Agentforce is genuinely transformative. It enables faster, smarter, always-on service that customers increasingly expect. But it also significantly increases both the complexity and exposure of your Salesforce environment.

Here’s the good news: you don’t have to choose between innovation and security. With the right tools and partnerships, you can build a Salesforce experience that’s fast, intelligent, and secure by design.

And that’s how you unlock the real value of Agentforce – without risking everything else in the process.

I recently took part in a conversation about this very topic. Take a look below!
Files are essential to your Salesforce workflows, but they’re also an easy attack vector. Whether it’s contracts uploaded through a customer portal, invoices submitted via Service Cloud, or internal attachments exchanged in agent chats, every file entering your Salesforce environment carries risk.

That’s why choosing the right file security solution for Salesforce isn’t about ticking boxes. You need to ensure you have deep, real-time protection against the full spectrum of file-based cyber threats. This means everything from well-known malware to emerging, never-before-seen zero-day attacks.

Two kinds of file-based threats — and why you need protection against both

Attackers aren’t just reusing the same old tricks. They’re hiding never-before-seen malicious content inside seemingly harmless files like PDFs, Word docs, and image files. These zero-day threats are hard to detect and they fly under the radar of superficial detection mechanisms.

1. Commodity malware
These are widespread threats that security vendors have seen before. This includes viruses, trojans, and ransomware families that have recognizable digital “fingerprints.” Many legacy antivirus products rely on signature-based detection alone, which can be effective here… if you’re lucky and the signature database is up to date.

2. Zero-day and polymorphic malware
These pesky threats are the real problem today. Zero-day malware is completely new, often crafted specifically to bypass traditional detection. Polymorphic malware, meanwhile, mutates its code every time it spreads, evading both basic signature detection and one-time-only scanning. These threats are harder to spot, and can cause real damage before anyone notices.

That’s why a file security solution for Salesforce must go beyond static scanning to get results. And accuracy counts.

Proven protection: AV-TEST award-winning threat detection

When selecting a file security solution for Salesforce, you need assurance that your protection is tested and proven – not theoretical marketing pitches.

That’s exactly what WithSecure delivers. Our advanced malware detection engine, used in WithSecure™ Cloud Protection for Salesforce, is the same core engine behind WithSecure Elements, which earned AV-TEST’s Best Protection Award 2024 after achieving flawless detection results across an entire year of enterprise-grade testing.

Throughout 2024, AV-TEST rigorously evaluated WithSecure Elements across more than 90,000 malware samples as part of its Enterprise Protection Test. The result? A perfect malware detection rate. Not a single threat slipped through. WithSecure effectively blocked every attack and prevented any damage to the test systems.

“This result demonstrates the relentless dedication of WithSecure Intelligence, as well as our R&D and cyber security teams, whose expertise ensures our customers stay protected against both known and emerging threats,” says Paolo Palumbo, VP, W/Intelligence at WithSecure.

This recognition from AV-TEST (which is one of the most trusted independent testing organizations in the cybersecurity industry) offers assurance that WithSecure’s detection capabilities are not only fast and intelligent, but validated in real-world conditions.

For Salesforce customers, this means that WithSecure Cloud Protection for Salesforce brings the same industry-leading protection into your cloud environment — scanning every file that touches your business, from support tickets and partner portals to automated chat workflows.

Whether it’s a known virus or a zero-day threat disguised in a PDF, you can trust WithSecure to stop it before it spreads.

Real-time, multi-layered defense that fits Salesforce

WithSecure Cloud Protection for Salesforce goes far beyond a basic upload-time file scan. It delivers continuous, multi-layer protection at every stage of your Salesforce workflows — from file uploads and downloads to dynamic interactions via forms, support cases, partner portals, Slack, and more.

Here’s how it works:

Multi-layered file analysis engine

Every file is evaluated using a robust stack of detection technologies, including:
- Signature-based scanning for known malware variants
- AI-powered behavioral analysis to detect suspicious patterns and polymorphic malware
- Cloud sandboxing for deep inspection of complex or unknown file types
- Real-time threat intelligence feeds, always up-to-date
This ensures your Salesforce environment is secured against both commodity malware and zero-day threats — no matter where the file comes from or how it’s shared.

Real-time protection at every entry point

WithSecure doesn’t wait to act — it scans files immediately when they’re:
- Uploaded to Salesforce (e.g. via cases, forms, portals, chats)
- Downloaded by users or agents
- Accessed or shared within Agentforce workflows or messaging integrations (e.g. WhatsApp, Slack, Web Chat)
This real-time scanning capability is key in detecting threats like polymorphic malware, which may change form depending on who interacts with it — a major blind spot for conventional AV tools.

Advanced detection of malicious URLs & QR Codes

Files today are more than just files — they’re often delivery vehicles for phishing links or embedded QR codes pointing to malicious sites. WithSecure scans inside documents and images, detecting:
- Malicious links, shortened URLs, redirects
- QR codes embedded within files
- Obfuscated or hidden content
These capabilities are critical in stopping phishing attacks and preventing social engineering threats from reaching your team through Salesforce channels.

Native to Salesforce — not bolted on

Unlike external integrations or API-based workarounds, WithSecure Cloud Protection for Salesforce is a truly Salesforce-native application, meaning:
- No middleware, no added infrastructure
- Deployed directly from AppExchange
- Integrates seamlessly into Salesforce UI, objects, and workflows
- Works with standard and custom objects, Experience Cloud, Sales Cloud, Service Cloud, Government Cloud, omni-channel Agentforce workflows, and more
It’s fast to deploy, easy to configure, and fully aligned with Salesforce’s architecture. Truly native does not equal just an app’s management interface on Salesforce, but the actual way that it is built and integrated.

WithSecure Cloud Protection is already trusted by Fortune 500 companies and public sector organizations worldwide. It meets the highest requirements for security, compliance, and reliability.

File security is the foundational element of Salesforce security

Malicious files are still one of the easiest ways into cloud platforms like Salesforce. It’s also one of the hardest to detect without advanced protection. Without a purpose-built solution, there is no visibility into file-based threats on Salesforce, making incident response and forensics expensive and time-consuming.

WithSecure Cloud Protection for Salesforce uses multi-layered, real-time analysis to detect both commodity malware and elusive zero-day threats. Powered by industry-leading engines and embedded natively in Salesforce, it stops what others miss before it ever reaches your data, workflows, or users.
In a growing spree of targeted cyberattacks, the HELLCAT threat group has breached at least six organizations in just five months by exploiting exposed Jira credentials. Victims include high-profile enterprises like Telefonica, Orange Group, and Jaguar Land Rover (JLR). In the JLR case alone, attackers exfiltrated and leaked over 700 internal documents, including source code, development logs, tracking data, and sensitive employee information.

These weren’t isolated incidents. HELLCAT followed a consistent playbook: targeting Jira for its central role in enterprise operations and its integration into broader ecosystems. The platform often holds architectural plans, API keys, internal communications, and workflow data. Sounds like a goldmine for attackers.

Stolen credentials are the culprit in the cloud

So, what made these attacks possible? It was stolen credentials harvested by infostealer malware, often from external third parties. In one case, Jira credentials belonging to an LG Electronics employee still granted access to JLR’s Jira instance—years after the initial compromise. Those credentials had been exposed for years yet remained valid.

This isn’t a corner case. Credentials compromised – for example in old infostealer campaigns – are still readily available on the dark web. And as long as they work, attackers will continue using them. Many organizations don’t consider these risks in their security plans. This is the case especially when the credentials belong to external users like partners, contractors, or vendors.

The lesson is clear: in cloud environments, access doesn’t end at the walls of your organization.

Breached Jira credentials: The Salesforce parallel

From the attacker’s point of view, Jira is not unique. Salesforce mirrors Jira closely:
- Vast amounts of sensitive data – customer records, contracts, invoices, case files, product roadmaps
- Extensive third-party access – via customer portals, partner users, and even agent automation.
- Central to workflows – tightly integrated with other platforms through APIs and automation, even more than Jira
- Credential risk blind spots – these are ticking time bombs especially for community users and partners outside core IT controls
Salesforce is targeted more and more by sophisticated cyber attacks

Just like Jira, Salesforce is increasingly targeted. Many companies still don’t enforce MFA across all user types. Infostealer dumps are often loaded with credentials tied to cloud accounts, including Salesforce user accounts, which may go unmonitored or unchanged for years. Identity compromise is practically invisible to traditional security layers – until it’s too late.

The HELLCAT breaches aren’t just a Jira credential risk. They’re a SaaS ecosystem wake-up call.

WithSecure helps mitigate identity risks on Salesforce

Salesforce isn’t just a business app or CRM anymore – it’s an infrastructure and a backbone to critical commercial operations. Without proper visibility into identity risk and real-time file and URL-based threats, the door is wide open.

WithSecure Cloud Protection for Salesforce provides:
- Real-time threat scanning of all files and URLs inside Salesforce
- Blocking of phishing links that direct to credential harvesting sites – even when hidden inside files or behind QR codes
- Stopping files that hide malware and ransomware, including infostealers and never-before-seen zero-day threats
- [COMING SOON!] Credential compromise detection to identify at-risk users
Switch roles from an administrator to Salesforce defender

Salesforce customers need to think like defenders, not just administrators. You should treat Salesforce like the critical platform it is. Understand who’s accessing it.

And don’t assume that credentials leaked five years ago aren’t still being exploited today.

Soon, we can help you monitor for credential compromises – especially among external users with our upcoming Identity Protection capabilities.

Trusted by highly regulated Fortune 500 enterprises globally, WithSecure Cloud Protection for Salesforce delivers scalable, quick-to-deploy Salesforce native protection. No added complexity, hindrance to your operations, or impact on your custom workflows. Just award-winning detection capabilities delivered in real-time.

Curious about the upcoming Identity Protection feature? Contact us from the form below.
The future of Agentforce is marked by swift business operations, and constant stream of AI-driven value. More and more AI agents process vast amounts of data, automate customer touch points, and interact across multiple platforms. At the same time, the cyber threat landscape will also be in flux. Here are our key predictions when it comes to cyber threats, and security strategies for adapting to them.

Prediction 1: Agent efficiency drives exponential growth in data volumes

AI agents, like those powered by Agentforce, excel at streamlining workflows, automating routine tasks, and enabling organizations to scale operations. By eliminating artificial restrictions, such as hiding customer service contact forms, businesses can handle significantly more inbound cases.

As a result, the sheer volume of data being processed – both structured and unstructured – will rise dramatically.

With an influx of data, the need for robust, real-time file and URL scanning solution for Agentforce workflows will grow exponentially in the future. Organizations must deploy scalable, efficient threat detection systems like WithSecure™ Cloud Protection for Salesforce to mitigate risks without compromising operational agility.

Prediction 2: New ways of processing and distributing content

In the future, Agentforce agents will manage and distribute files and URLs at an unprecedented scale, both within organizations and externally to customers and partners. Agents may inadvertently share malicious content, amplifying the spread of threats.

The risk of malware and phishing attacks increases as malicious files and URLs spread more freely through automated systems.

Organizations need advanced real-time scanning solutions that proactively detect and neutralize threats. WithSecure’s cloud-native protection layer ensures that files and URLs are scanned immediately as they enter the platform, and again when a user interacts with them. They are effectively neutralized before they can disrupt operations or damage customer trust.

Prediction 3: Integration with collaboration tools expands the attack surface

Agentforce integrates with tools like Slack, WhatsApp, and Salesforce Messaging for In-App and Web (MIAW), facilitating seamless communication. For instance, a recruitment AI agent might share links to candidate portfolios or PDF resumes in Slack channels. However, these conveniences come with risks.

Collaboration tools will become a more prominent vector for malicious content, with harmful files or phishing links reaching large audiences quickly.

To address this, businesses must prioritize centralized security solutions that sit where data is processed and stored – within Salesforce itself. By centralizing protection at the source, organizations can ensure that all files and links handled by Agentforce agents are safe before they reach external platforms.

What does the future of Agentforce look like from the threat landscape’s point of view?

In the grand scheme of things, how does the AI and Agentforce dominant future change the threat landscape? We are already seeing a significant surge in SaaS breaches – +300% year-on-year to be precise. The same growth rate can unfortunately be seen also in malicious content on Salesforce, as detected in the customer environments we protect. SaaS applications, including platforms such as Salesforce, are increasingly targeted by cyber criminals.

If the detection ratio of malicious files and phishing links remains the same or grows, and the volume of unstructured data grows, the risk of a data breach through these agentic workflows becomes a more pressing concern.

GenAI has been seen as a disruptor in cyber threat landscape for a while now with services like FraudGPT rising in popularity. However, GenAI has also become the disrupted. Vulnerabilities of services like DeepSeek and Meta’s Llama make it clear that the same weaknesses apply to AI services as any other software.

Although the future of GenAI and agentic AI has many uncertainties, cyber defenders can prepare and take action.

The good AI vs. bad AI race will keep on going.
Defenders should adopt advanced security measures that leverage AI and machine learning to detect threats as fast as the agents operate. At the end of the day AI is fast. Agents are fast. Attacks that leverage AI are fast. Similarly, speed in preventative measures is crucial.

What you can do to secure your Salesforce data in the age of agents

To adopt agentic AI securely, you should embrace a secure-by-design mindset. Here are some practical measures to consider from day one:
- Adopt real-time scanning: Implement AI-powered solutions like WithSecure™ Cloud Protection for Salesforce to ensure continuous protection for growing data volumes. Secure files and URLs shared via Slack, WhatsApp, and other platforms to reduce exposure.
- Focus on centralized protection: Since agents operate within Salesforce, protecting the Salesforce environment directly is more effective than securing individual endpoints or third-party tools.
- Regularly audit and update data: Maintain clean, accurate, and secure datasets to minimize the risk of inaccuracies in AI-driven workflows.
- Apply the principle of least privilege: Only give agents the access and permissions they require to do their job. Manage access and authentication vigilantly.
- Educate and train teams: Equip users with the knowledge to manage and secure AI-powered operations effectively.
100% Salesforce native threat protection for Agentforce workflows

Agentforce boosts efficiency by automating customer touchpoints, but it also increases exposure to malware and phishing risks through the handling of files and links.

WithSecure™ Cloud Protection for Agentforce addresses these gaps with real-time scanning that integrates natively into Salesforce workflows. By stopping threats at the source, it ensures both AI agents and human users operate safely, preventing disruptions and securing sensitive data and interactions.

Trusted by highly regulated Fortune 500 enterprises globally, WithSecure Cloud Protection delivers scalable, quick-to-deploy Salesforce native protection. No added complexity, hindrance to your operations, or impact on your custom workflows. You are fully empowered to leverage Agentforce’s potential without compromising the safety of your data or operations.

Learn more about native protection for Agentforce

Explore the product details

The hidden cost of convenience: how overprivilege creeps in

Real-world risks: when access becomes an attack vector

Why AI makes this problem worse

How to audit and reduce shadow access in Salesforce

Shadow access is the new insider threat

Why understanding Salesforce security is important

Shared responsibility model sets the rules in Salesforce data security

Salesforce-targeted cyber attacks are escalating

Multiple levels of Salesforce data security measures

Organizational level security

Object level security

Field level security

Record level security

External access and advanced cyber security measures on Salesforce

Endpoint security has no control over Salesforce risks

Keep your data safe with Salesforce Shield and WithSecure Cloud Protection for Salesforce

Last piece of advice: secure every access point

Salesforce security has never been more critical

Dig deeper into the current Salesforce threat landscape

Prediction 1: Agent efficiency drives exponential growth in data volumes

Prediction 2: New ways of processing and distributing content

Prediction 3: Integration with collaboration tools expands the attack surface

What does the future of Agentforce look like from the threat landscape’s point of view?

What you can do to secure your Salesforce data in the age of agents

100% Salesforce native threat protection for Agentforce workflows

Learn more about native protection for Agentforce

Product

Resources

Company

Support

Why cloud-first security starts with your core platforms

Always-on environments demand always-on protection

Persistent targets, persistent risks

The cost of catching threats too late

A shared responsibility you can’t outsource

A real-world example

Why a cloud-first approach works

The hidden cost of convenience: how overprivilege creeps in

Real-world risks: when access becomes an attack vector

Why AI makes this problem worse

How to audit and reduce shadow access in Salesforce

Shadow access is the new insider threat

Why understanding Salesforce security is important

Shared responsibility model sets the rules in Salesforce data security

Salesforce-targeted cyber attacks are escalating

Multiple levels of Salesforce data security measures

Organizational level security

Object level security

Field level security

Record level security

External access and advanced cyber security measures on Salesforce

Endpoint security has no control over Salesforce risks

Keep your data safe with Salesforce Shield and WithSecure Cloud Protection for Salesforce

Last piece of advice: secure every access point

Salesforce security has never been more critical

Dig deeper into the current Salesforce threat landscape

The hidden threat: Files from the field

From pain point to protection

Why this matters for manufacturing

Bigger than one customer

What the credential theft malware attack revealed

Why Salesforce security is at risk from credential theft

Think it couldn’t happen in Salesforce? think again

How to strengthen Salesforce security against credential-based attacks

Harden access and session controls

Inspect what your users upload or click

Protect beyond the login screen

Why endpoint security isn’t enough for Salesforce protection

Navigating the regulatory maze

Being resilient when (not if) things go wrong

Who’s responsible for what? The cloud security dance

AI: Double-edged sword

Different industries, different challenges

Getting CRM and security teams on the same page

What this all means for you

The security responsibility is yours (and Salesforce’s)

The hidden danger: unstructured data

Backup isn’t enough (but It’s a start)

AI doesn’t have a conscience

The missing link: collaboration

What you should do today

The bottom line

Two kinds of file-based threats — and why you need protection against both

Proven protection: AV-TEST award-winning threat detection

Real-time, multi-layered defense that fits Salesforce

Multi-layered file analysis engine

Real-time protection at every entry point

Advanced detection of malicious URLs & QR Codes

Native to Salesforce — not bolted on

File security is the foundational element of Salesforce security

Stolen credentials are the culprit in the cloud

Breached Jira credentials: The Salesforce parallel

Salesforce is targeted more and more by sophisticated cyber attacks

WithSecure helps mitigate identity risks on Salesforce

Switch roles from an administrator to Salesforce defender

Prediction 1: Agent efficiency drives exponential growth in data volumes

Prediction 2: New ways of processing and distributing content

Prediction 3: Integration with collaboration tools expands the attack surface

What does the future of Agentforce look like from the threat landscape’s point of view?

What you can do to secure your Salesforce data in the age of agents

100% Salesforce native threat protection for Agentforce workflows

Learn more about native protection for Agentforce