The Digital Operational Resilience Act (DORA) is a European Union regulation crafted to boost the operational resilience of financial institutions. It ensures they can withstand, respond to, and recover from ICT-related disruptions, including cyberattacks. It mandates rules for ICT risk management, incident reporting, resilience testing and third-party risk management (TPRM). The regulation came into force in January 2025.
DORA aims to ensure EU financial institutions can effectively manage and mitigate ICT risks, diminish the impact of cyber threats, and sustain business continuity during disruptions.
Who does DORA apply to?
DORA applies to the majority of financial institutions operating in the EU. It covers a broad spectrum of financial entities, such as banks, investment firms, payment service providers, insurance companies, and ICT third-party providers like cloud services that support financial institutions.
DORA’s ICT risk management framework mandates that a firm’s management body bears ultimate responsibility for managing ICT risks, setting and approving the digital operational resilience strategy, and approving policies related to the use of ICT Third Party Providers (TPPs), among other duties.
How has DORA changed regulatory compliance?
There have been previous guidelines similar to DORA, such as 2019 EBA Guidelines on ICT Security and Risk Management and the 2020 EIOPA Guidelines on ICT Security and Governance. However, as DORA is primary legislation, the level of supervisory scrutiny that firms are subject to is now increasing significantly.
Key requirements for financial entities:
ICT risk management: Financial entities must develop robust governance and control frameworks to manage ICT risks. This includes risk identification, protection measures, system monitoring, and incident recovery.
Incident reporting: Entities are required to report significant ICT-related incidents to authorities to enhance oversight and facilitate a coordinated sector response.
Testing and audits: Regular testing, including penetration tests and security audits, is mandatory to identify and address vulnerabilities.
Third-party risk management: Financial institutions must ensure that third-party ICT providers adhere to equivalent standards, including conducting thorough due diligence for outsourcing critical functions.
DORA compliance and Salesforce security
DORA mandates comprehensive oversight across critical business areas, focusing on firm management’s accountability for ICT risks. It includes crafting a digital operational resilience strategy and managing ICT Third Party Providers (TPPs). Breaches could lead to penalties enforced by competent authorities.
Salesforce is a cloud-based platform that is critical to many financial organizations and their operations. The financial entity will need to ensure that their use of Salesforce complies with DORA’s requirements regarding ICT risk management, third-party oversight, incident reporting, and testing.
As a leading CRM provider, Salesforce has already taken steps to ensure that the platform’s data governance aligns with DORA – along with other data protection regulations.
Collaboration with partners like WithSecure™ is part of Salesforce’s commitment to trust and security according to Natalie Pope, Lead Solutions Engineer at Salesforce: “DORA is an important step in elevating our offerings to financial services customers, ensuring data and operational resilience are at the forefront their business goals and company ethos. Our collaboration with partners like WithSecure™ demonstrate Salesforce’s commitment to our number one value of trust, allowing us to offer robust and compliant solutions as part of a trusted digital infrastructure.”
Key actions to secure your Salesforce and naviagte DORA
DORA places obligations on financial institutions to manage risks from ICT providers, including SaaS platforms like Salesforce. When it comes to Salesforce security and risk management, the key areas where financial institutions can take action are:
Set up ongoing auditing practices to continually assess security risk related to Salesforce and other services connected to it. Implement proper security measures to remediate any gaps.
Develop and refine incident management strategies to ensure prompt detection, reporting and resolution of issues. Implement security measures directly for Salesforce that support your strategy.
Review and update contracts with ICT providers to meet DORA standards.
How can WithSecure™ Cloud Protection for Salesforce help?
WithSecure™ Cloud Protection for Salesforce stops malware and phishing threats on Salesforce in real-time. Our solution supports DORA requirements in areas such as:
The DORA mandate for incident reporting:“Financial entities shall report major ICT-related incidents to the relevant competent authority”, “Financial entities shall produce, after collecting and analysing all relevant information, the initial notification and reports referred to in paragraph 4 of this Article using the templates referred to in Article 20 and submit them to the competent authority. In the event that a technical impossibility prevents the submission of the initial notification using the template, financial entities shall notify the competent authority about it via alternative means.” (Chapter 19, Article 1)
TheDORA mandate for detection capabilities:“Financial entities shall devote sufficient resources and capabilities to monitor user activity, the occurrence of ICT anomalies and ICT-related incidents, in particular cyber-attacks.” (Chapter 2, Article 10)
The DORA mandate for incident management: “Financial entities shall define, establish and implement an ICT-related incident management process to detect, manage and notify ICT-related incidents.” (Chapter 17, Article 1)
How we help financial organizations meet DORA obligations
WithSecure™ Cloud Protection for Salesforce helps financial institutions detect anomalies such as malware and phishing threats on Salesforce. It provides real-time monitoring capabilities into cyber threats and incidents across the Salesforce environment. It empowers financial institutions with automated threat remediation capabilities, along with prompt alerts.
WithSecure™ Cloud Protection for Salesforce’s native reporting features support incident reporting to authorities, as mandated by DORA. Reports offer vast details about the threat, who has interacted with it, and when. This not only enables sufficient reporting to authorities, but also speeds up incident management process significantly. Without the reporting tools with full event logs and forensics trails, investigating a malware outbreak is costly and time consuming.
While remediating the immediate threat of malware, solutions like Cloud Security Access Brokers (CASBs) can introduce more risk by adding vulnerable integrations and data flows to the mix. For this reason, we built the natively integrated, minimally vulnerable and simplified AntiVirus and AntiPhishing solution WithSecure™ Cloud Protection for Salesforce. With this simplified and seamless approach, financial institutes can mitigate risk without invertedly adding more in the process. You can deploy the native security layer in minutes and strengthen your compliance instantly.
WithSecure™ Cloud Protection for Salesforce is built with 30+ years of cyber security experience in close collaboration with Salesforce. The solution has achieved ISAE 3000 Type 2 certification (international equivalent to SOC 2 Type 2), and WithSecure™ is ISO 27001 certified, proving the resilience of operations in accordance with DORA’s third-party risk management agenda.
Ensure Salesforce DORA compliance
Protect your Salesforce environment against advanced ransomware and phishing attacks in real-time. Natively integrated WithSecure™ Cloud Protection for Salesforce is up and running in minutes. Comprehensive reporting capabilities help you meet DORA incident reporting requirements.
Helsinki, Finland – January 2026 — WithSecure™, widely respected as a global leader in Salesforce security, today announced the launch of its Federal Risk and Authorization Management Program (FedRAMP®) preparation initiative for WithSecure Cloud Protection for Salesforce. This effort is supported by federal compliance advisory firm 38North.
This move signals WithSecure’s strategic commitment to bringing its Salesforce-native, real-time threat protection to U.S. federal agencies and preparing to meet the government’s rigorous cloud security standards.
“Beginning our FedRAMP preparation underscores our long-term commitment to serving U.S. federal entities and strengthening the security of their Salesforce environments,” said Juhana Autio, General Manager of WithSecure Cloud Protection for Salesforce. “Our goal is to make enterprise-grade, in-platform solution easily available to federal agencies so they can safeguard the workloads and mission-critical services they run in Salesforce.”
FedRAMP provides a standardized, government-wide security framework for cloud products used by federal agencies, based on NIST SP 800-53 security controls. Completing the preparation phase positions WithSecure to pursue the formal FedRAMP authorization process, which would enable government-wide reuse under the program’s “do once, use many times” model.As a leader in guiding global technology companies through the most demanding compliance landscapes—particularly within the U.S. public sector—we’re thrilled to support WithSecure on their FedRAMP journey,” said Matthew Earley, President and Founder of 38North Security. “38North has consistently delivered secure, resilient cloud environments for organizations across the United States, Europe, and the Asia-Pacific region. As we continue expanding our presence in the European Union, this partnership represents a natural alignment of strengths and opens new opportunities for both companies on both sides of the Atlantic. WithSecure’s platform is exceptionally well-positioned to meet the needs of federal agencies relying on Salesforce for mission-critical operations.”
WithSecure Cloud Protection for Salesforce delivers enterprise-grade, real-time threat detection through deep inspection and advanced threat intelligence, protecting against malware, zero-day file threats, phishing links, malicious URLs, QR-based attacks, and identity risks such as compromised Salesforce user credentials. These capabilities are already trusted by highly regulated industries and public sector organizations globally to defend against complex attack chains that target users, content, and automations inside Salesforce.
About WithSecure™
WithSecure™ is Europe’s cyber security partner of choice. Trusted by IT service providers, MSSPs, and businesses worldwide, we deliver outcome-based cyber security solutions that protect mid-market companies. Committed to the European Way of data protection, WithSecure prioritizes privacy, data sovereignty, and regulatory compliance.
Boasting more than 35 years of industry experience, WithSecure™ has designed its portfolio to navigate the paradigm shift from reactive to proactive cyber security. In alignment with its commitment to collaborative growth, WithSecure™ offers partners flexible commercial models, ensuring mutual success across the dynamic cyber security landscape.
Central to WithSecure’s™ cutting-edge offering is Elements Cloud, which seamlessly integrates AI-powered technologies, human expertise, and co-security services. Further, it empowers mid-market customers with modular capabilities spanning endpoint and cloud protection, threat detection and response, and exposure management.
WithSecure Cloud Protection for Salesforce provides Salesforce-native protection against malware, phishing, and identity-based threats, securing Salesforce users and agentic AI workflows in real time.
38North Security is one of the industry’s premier cloud security and compliance consultancies, trusted by leading SaaS providers and global enterprises looking to break into—or expand within—the U.S. public sector. From FedRAMP and DoD IL4/IL5 to CMMC, IRAP, DORA, and ISMAP, 38North helps organizations accelerate market entry, reduce authorization friction, and build resilient, scalable cloud environments that stand up to the world’s toughest regulatory standards.
Backed by a world-class team and our flagship LaunchPad ATO-acceleration platform, 38North delivers the strategy, engineering expertise, and hands-on support needed to turn complex compliance challenges into competitive advantage. Our clients span Fortune 500 companies, high-growth SaaS innovators, and mission-critical technology providers across North America, Europe, APAC, and beyond.
At 38North, we believe compliance should be a catalyst for growth—not a barrier. We empower customers to enter new markets with confidence, speed, and a secure-by-design foundation that scales.
“Salesforce protects us from all malicious content.” It doesn’t. And that’s where your risk starts.
Salesforce is a powerful business application platform, not a dedicated security solution. Files and links flowing into your org—through email-to-case, Experience Cloud portals, Agentforce workflows, Slack integrations, web forms, or record attachments—can carry malware, phishing links, or even ransomware.
The result is a false sense of security that leads to risky behavior and blind spots in one of your most business-critical systems.
Without proper safeguards, your organization is exposed to data breaches and compromise through infected files uploaded directly into Salesforce.
Where Your Responsibility (and Risk) Really Starts
To understand your exposure, it helps to define three critical areas that sit squarely in your own security responsibility, not Salesforce’s.
1. Malware and File-Based Threats Inside Salesforce
Salesforce provides the container. You are responsible for what gets stored in it.
Salesforce does not natively scan your content for malware, viruses, ransomware, or phishing links.
The Risk: When customers or partners upload documents, images, or links via:
Service Cloud forms
Experience Cloud portals
Case attachments (including email-to-case and web forms)
…those files and links are immediately stored in your Salesforce environment.
If you don’t have a dedicated scanning solution in place, a malicious file can sit unnoticed, be shared internally, and eventually land on an endpoint where it can compromise your wider corporate network.
By the time an endpoint solution reacts, the threat has already been introduced into your core CRM.
2. Endpoint Protection Is Not Enough: Salesforce Is a Blind Spot
Many organizations lean heavily on Endpoint Protection (EPP) or Extended Detection and Response (XDR) and assume that’s “good enough” to cover Salesforce.
These tools are essential—but they are your last line of defense, not the first, and certainly not the right primary control for a cloud platform like Salesforce.
Relying on endpoints to catch Salesforce-borne threats means:
The malicious file has already entered your CRM
It may have been viewed, downloaded, or shared
It remains stored in a business-critical system that holds customer and deal data
Ask yourself:
Would you deploy an email solution today without modern built-in cloud security and malware scanning?
Almost certainly not.
So why treat Salesforce—the engine of your customer data and service operations—any differently?
Attacks are cheaper, easier, and faster to stop where they originate: inside the platform itself, before they ever reach an endpoint.
3. Enterprise Security vs. the Checkbox Trap
Security for a system like Salesforce cannot be a “tick the box and move on” exercise.
For critical environments and highly regulated sectors, relying on basic, one-dimensional scanning is a risky bet that confuses minimal compliance with actual protection.
Attackers know this. They are already using advanced techniques designed to slip past:
Perimeter security
Simple attachment scanners
Signature-only antivirus engines
Our threat intelligence shows that the vast majority of modern threats—well over 95%—are URL-based attacks engineered to be highly evasive, not just simple malware files.
These attacks exploit exactly the gaps left by basic tools:
QR codes or shortened links that hide their true destination
Nested content, such as archives containing multiple, layered payloads
In these scenarios, file-only or signature-based protection is simply not enough.
A basic scanner creates the illusion of security while leaving the most sophisticated threats untouched. The burden of investigation, decision-making, and compliance still lands on your internal teams—who now need enterprise-grade tools and intelligence to keep up.
Why 2025 Was a Wake-Up Call (and What 2026 Will Bring)
The Salesforce-related security incidents we saw in 2025 weren’t a failure of the Salesforce platform itself.
They were the result of customers not closing the security gaps that fall under their own responsibility. This failure is now more exposed than ever:
Industry data indicates that Salesforce was by far the most targeted and breached SaaS platform in 2025, highlighting the severity of the security responsibilities that are yours to manage.
Looking ahead to 2026, you can expect:
More complex files and content types entering your CRM
Increasingly sophisticated URL-based and identity-driven attacks
Continued targeting of high-value, high-trust systems like Salesforce
Manual checks, spot audits, or relying on perimeter defenses that don’t see inside Salesforce are no longer viable—especially if you operate in:
Finance
Manufacturing
Public sector
Or any highly regulated industry where data loss is simply unacceptable
Close the Gap: Cloud Protection for Salesforce by WithSecure™
If scanning files and URLs for malware is your responsibility, you need a dedicated, integrated, and low-friction solution—not a patchwork of manual controls.
That’s where Cloud Protection for Salesforce by WithSecure™ comes in. It’s built specifically to plug the security gaps in your highest-risk environments: Service Cloud and Experience Cloud.
Designed for Salesforce, Not Bolted On
1. Award-Winning AI- Powered Malware Detection Built on the WithSecure™ Security Cloud, our cloud-based analysis platform that evolves in real time to stop new threats.
2. Native Salesforce architecture, no external portals Available on AppExchange – deployed in minutes without external portals. Automatically integrates to all Salesforce functionalities.
3. Real-Time Threat Mitigation All files, URLs, and identity-based threats are analyzed using WithSecure’s cloud security platform and automatically handled inside Salesforce—before they reach your endpoints or users.
4. Trusted by Fortune 500s and governments Entreprise-grade solution built for the most demanding environments across all industries.
What You Should Do Next
Don’t wait for an incident to tell you where your responsibilities really start.
If you receive files or URLs from external sources into Salesforce, you need malware and content protection now, not after an investigation.
Pick the next step that fits you best:
Free Instant Risk Assessment
Get an immediate, personalized report detailing your organization’s specific Salesforce security risks.
Salesforce is widely regarded as one of the most secure cloud platforms in the world — and that reputation is deserved. Yet many organizations unknowingly carry significant risk inside their Salesforce orgs, not because the platform itself has weaknesses, but because configuration decisions made over time have created blind spots.
This disconnect between the platform’s inherent security and how it is implemented is exactly what Salesforce security assessments are designed to surface. They show how the org is actually behaving, not how stakeholders believe it is behaving.
Where risk really comes from
Many organizations rely on Salesforce’s built-in tools like Health Check and assume it covers every angle. In practice, those controls don’t replace structured assessments that examine metadata, permissions, Digital Experiences, user behavior, and integrations. As Doug Merrett, Founder of Platinum 7, explained during a recent conversation, organizations are often looking in the wrong direction:
“Salesforce is a very secure platform — until a customer misconfigures it.”
The issue isn’t that Salesforce is unsafe — it’s that complexity increases over time, and one overlooked decision from years ago can create exposure today.
The most frequent misconfigurations found
Security assessments across enterprises and fast-growing Salesforce deployments consistently reveal the same high-impact patterns:
Digital Experiences / Communities misconfigured, allowing users to view data that should be restricted
External integrations connecting with System Administrator privileges, giving full control of the org to third-party systems
An excessive number of System Administrators, often accumulated organically over the years without governance
A breach is not required for these issues to cause damage. A single misconfigured integration or an over-privileged user performing the wrong action can trigger a major incident.
Merrett puts this dynamic into clear terms:
“Most of the risks found in assessments aren’t Salesforce issues — they’re configuration issues.”
And that’s exactly why assessments matter: they reveal the difference between perceived security and actual security.
Where accountability breaks down
The root cause isn’t purely technical — it’s organizational. Salesforce is often introduced by the business to solve operational challenges long before IT or security teams become involved. Once momentum builds and department workflows depend on Salesforce, ownership of security becomes complicated.
High-performing Salesforce organizations treat security as shared responsibility. Platform teams understand configuration and business logic; security leaders understand risk and data protection requirements. When those two groups operate in isolation, risk tends to accumulate quietly.
AI and Agentforce change the stakes — in both directions
AI is beginning to reshape Salesforce security in meaningful ways. New AI-driven capabilities can detect abnormal behavior, highlight misconfiguration, and suggest remediation actions — a major advantage for Salesforce administrators who aren’t security specialists.
But AI isn’t a safety net. If visibility rules, access controls, and sharing models are already weak, AI will not correct the issue. It will scale and accelerate whatever foundation it is built on — good or bad. The shift toward Agentforce increases the importance of good configuration rather than reducing it.
Improving security doesn’t need to be difficult
Not every security enhancement requires a large project or the purchase of additional tooling. Some of the fastest and most impactful improvements include:
Reviewing and managing all connected apps
Removing System Administrator access from integrations
Using the Salesforce Integration User license for connectors
Running Health Check and prioritizing the highest-risk findings
These steps alone dramatically reduce exposure.
The shared responsibility model still applies
Recent Salesforce-related security incidents that made the headlines were not caused by platform vulnerabilities — they were caused by customer configuration gaps. The shared responsibility model remains unchanged: Salesforce protects the cloud; customers must protect their configuration.
Security assessments aren’t about fault — they’re about clarity. And clarity is what enables resilient, scalable, and accountable use of Salesforce.
🎧 Listen to the Full Podcast Episode
To explore this topic in more detail — including real-world examples, configuration pitfalls, and how to prepare for the AI-accelerated future of Salesforce — listen to the full conversation with Doug Merrett on Guardians of Salesforce: Salesforce Security Assessments — What They Reveal and How Organizations Should Respond
If one theme defined Dreamforce this year, it was security — not as a side topic, but as a shared priority across the entire Salesforce ecosystem. From keynotes to breakout sessions, everyone was talking about how to protect data, identities, and trust as part of everyday innovation on the platform.
Identity takes center stage
One of the standout announcements came during a session featuring Okta’s CEO Todd McKinnon and Brad Arkin, Salesforce’s Chief Trust Officer. Together, they introduced Salesforce Security Mesh, a new framework that gives customers greater visibility into their entire security landscape — almost like a built-in SOC or SIEM for Salesforce.
Identity dominated the discussion. As Arkin pointed out, attackers are increasingly targeting user identities because they offer the easiest path to move within an organization’s environment. That trend matches what we’re seeing across the industry, where compromised credentials often serve as the first step in a breach.
View the full keynote below (credit: Salesforce)
This growing focus on identity security aligns perfectly with our latest launch at WithSecure. We’ve just introduced Identity Protection within Cloud Protection for Salesforce — a new capability that detects compromised partner, supplier, and customer accounts before attackers can exploit them. It gives organizations the same level of confidence in external identities that they already apply to their internal users.
Security is a team effort
Another strong theme emerged from WithSecure head of threat intelligence Karmina Aquino’s presentation to an audience of our customers, prospects and partners during Dreamforce. Her message was simple and clear: security in the Salesforce ecosystem requires teamwork.
Protecting the platform depends on collaboration between Salesforce, partners, and customers. It takes the right mix of people, process, and technology to mitigate risk effectively. The shared responsibility model is evolving from a framework into a mindset that every organization needs as cloud environments become more interconnected.
Adapting at the speed of attackers
Karmina also drew an insightful comparison between Salesforce today and the evolution of other major cloud platforms. Attackers have had years to refine their tactics against environments like Microsoft 365 — but they’re now applying the same advanced methods to Salesforce almost overnight.
The takeaway for customers is clear: attackers are moving fast, and defenders need to move faster.
Preparing for what’s next
Conversations at Dreamforce also turned toward the future. Data Cloud and Agentforce are transforming how organizations use Salesforce — and expanding the surface that needs protection.
Most incidents so far have affected traditional clouds like Sales Cloud, Service Cloud, or Experience Cloud. But as companies deploy AI agents that can act on data and automate workflows, the need for trust, governance, and proactive defense is rising fast.
That’s why our message to customers is simple: Protect your current environments today — and get ready for the next wave of innovation tomorrow.
Progress through collaboration
Dreamforce ’25 made one thing crystal clear: no one is standing still. Salesforce continues to strengthen its platform with initiatives like Security Mesh and improved visibility tools. WithSecure Cloud Protection is advancing in-platform innovation with new capabilities such as Identity Protection and enhanced Agentforce protection. Customers, too, are becoming more proactive about governance, compliance, and risk management.
Security has become part of the conversation at every level — exactly where it belongs.
Dreamforce ’25 showed how far the Salesforce ecosystem has come — and how much opportunity remains to build trust through stronger, smarter security. Identity, collaboration, and speed will shape the next phase of cloud security. Together, we’re already moving in that direction.
Helsinki, Finland – October 2025 — Attacks targeting Salesforce are on the rise as criminals exploit trusted access to slip past defenses. WithSecure™ Cloud Protection for Salesforce has launched Identity Protection, a new capability to the Salesforce threat protection solution, and the first of its kind to detect compromised partner and customer Salesforce accounts before they can be weaponized.
While enterprises invest heavily in identity security for employees, external users accessing Salesforce through partner, supplier, and customer portals often fall outside these protections. Security researchers consistently identify compromised credentials as a leading entry vector for data breaches.
In high-trust environments like Salesforce partner portals, external users can become the weakest link — a single compromised credential from a supplier or dealer can open the door to fraud worth tens of thousands of euros. That’s why identity threat detection and credential compromise visibility are now essential to keeping Salesforce secure.
Identity compromise: costly and hard to detect
These accounts can number in the tens of thousands per Salesforce customer — and when even one credential is stolen or reused across systems, attackers can gain access and remain undetected for months.
“The front door isn’t forced open anymore — it’s unlocked with stolen keys.” said Juhana Autio, General Manager, WithSecure Cloud Protection for Salesforce. “Even companies with million-dollar security stacks can’t defend against a trusted account that’s already been compromised. External users have long been a blind spot in Salesforce, and we’re closing it.”
Identity-based intrusions are among the most expensive to remediate — and often the slowest to detect and contain.
Security that fits Salesforce — not the other way around
WithSecure’s Identity Protection capability continuously monitors Salesforce user credentials against a live feed of exclusive breach intelligence — sourced from both public and dark web data — to detect when accounts have been exposed in third-party breaches.
The new capability is included with all user-based licenses of WithSecure Cloud Protection for Salesforce at the time of launch and is available now.
About WithSecure™ Cloud Protection for Salesforce WithSecure Cloud Protection for Salesforce safeguards your cloud environment against advanced cyber threats. You can run your digital business without disruption – free from ransomware, zero-day malware, phishing and compromised account risk. The bespoke solution is built and designed in close collaboration with Salesforce for Salesforce and Agentforce workflows and managed directly from your Salesforce portal.
Salesforce attacks are increasing, as the platform has become a prime target for cybercriminals. Around 40 Salesforce customers – mostly global brands – have been breached by cyber criminal groups. Salesforce is an attractive target due to its high level of connectivity and the volume of sensitive personal and commercial information it contains.
As companies’ Salesforce environments have become direct targets for cyberattacks, even the largest, best-resourced companies aren’t ready.
“The targeting of organizations’ SaaS services that hold and process sensitive data has become an extremely popular TTP of ransomware actors, after all. It has become apparent that actors no longer need to spend a lot of time and money seeking to fully compromise a network, when extortion demands based on sensitive data theft can be just as successful. It enables an effective and scalable way of targeting organisations at scale,” explains Tim West, Director of Threat Intelligence at WithSecure. “The business value of Salesforce and the level of sensitive data held within Salesforce makes it an exceptionally attractive target for financially motivated threat actors.”
Salesforce attacks have resulted in data breaches
On September 12th 2025, after a series of successful cyber attacks targeting Salesforce customers, the FBI has issued a FLASH alert. The alert shares indicators of compromise tied to groups recently observed targeting Salesforce instances in a growing wave of data-theft and extortion campaigns. A FLASH is the Bureau’s way of quickly pushing urgent threat intelligence and indicators of compromise to industry, helping security teams spot suspicious activity and strengthen defenses.
In October, the situation escalated further. A collective calling itself Scattered Lapsus$ Huntersbegan leaking stolen Salesforce customer data and publicly extorting dozens of global brands. Salesforce themselves has been extorted by the group. As the victims refused to negotiate and pay the ransoms, the extortion group has started to leak the data.
The biggest challenge: threat actors adapt fast. They aren’t focusing on technical exploits. They’re exploiting access, trust, and human behavior. Salesforce is a perfect environment for this. For example, Salesforce doesn’t have a built-in antivirus. It doesn’t scan incoming data for cyber threats. Securing the data and users of the platform is the customer’s responsibility. Attackers are aware of this gap.
Customer information has high value on the dark web and can be used in further targeted attacks and identity theft.
Confirmed Salesforce breaches and attributed incidents in 2025:
Google: breach disclosed in August but traced to activity in June. Targeted Salesforce CRM instance used for prospective Google Ads customer data. Impacted records included basic business contact details and related sales notes for SMB customers.
Salesloft-Drift hack: Attackers stole OAuth tokens through the Drift integration, leading Salesforce to shut down all Salesloft connections. The stolen tokens were then used to pull data directly from Salesforce accounts. Confirmed victims include security companies like Zscaler, Palo Alto Networks, Proofpoint, Tenable, Qualys and Cloudflare.
Workday: July disclosure of a third-party CRM breach exposing business contact data (names, emails, phone numbers). While Salesforce was not named, the case reflects how attackers target high-value SaaS and identity data to enable further exploits.
Allianz Life: Similarly, a July breach via a third-party cloud CRM impacted 1.4 million customers. Tied to social engineering tactics seen in the Salesforce campaign.
LVMH brands (Louis Vuitton, Dior, Tiffany & Co.), Adidas: late July disclosures tied to the same Salesforce-focused campaign.
GAP: alleged victim listed by the extortion group behind the campaigns targeting Salesforce instances.
Chanel: activity detected July 25, disclosed Aug 4; personal contact data exposed; tied to the same wave of Salesforce data-theft extortion.
Farmers Insurance: May breach via a third-party database exposed data of 1.1 million customers (names, addresses, driver’s license details, partial SSNs). Linked to the broader vishing campaign.
Coca-Cola (Middle East): disclosed May; data leak affecting ~1,000 employees in UAE, Oman, and Bahrain. Salesforce file access was reported to be part of the chain.
Coca-Cola Europacific Partners (CCEP): breach exposed over 23M Salesforce records (accounts, cases, contacts, products) via dashboards.
UK retailers (M&S, Co-op, Harrods): May ransomware/data theft incidents; similar social-engineering and access-abuse tactics were observed.
IKEA: allegedly breached by the hackers; no official disclosure
Stellantis: disclosed a data breach in September, which came via third-party provider; contact data warned to be at risk; aligns with Salesforce-targeting wave but not confirmed.
Aviation sector (Hawaiian Airlines, WestJet, KLM, Air France, Vietnam Airlines, Qantas): targeted June–July. While not confirmed as Salesforce compromises, the entry methods (help-desk manipulation, MFA bypass) mirror those used in CRM breaches.
Attribution note:
Attribution is difficult and varies by case. The ShinyHunters-branded group carried out most confirmed Salesforce-focused campaigns in 2025, while Scattered Spider and other ransomware groups showed overlapping tactics.
In recent months, multiple sources have described Scattered Lapsus$ Hunters as a loose collaboration of ShinyHunters, Scattered Spider, and Lapsus$. It shows how fluid these groups are in shifting names, tactics, and alliances as defenders catch up. This keeps attribution confusing even for industry experts.
Salesforce-targeted cyber attacks are escalating
Even the biggest, best-defended companies have been hit by CRM breaches. Salesforce isn’t off-limits to attackers. Using real-world detection data, we show why putting Salesforce security on the back burner is a risk not worth taking.
UNC6040 / ShinyHunters: targeting Salesforce users with social engineering and OAuth abuse
In 2025, Google’s Threat Intelligence Group (GTIG) reported on a campaign by UNC6040 – a financially motivated threat actor blending social engineering with OAuth abuse to target Salesforce environments. GTIG tracks the follow-on extortion phase as a separate cluster, UNC6240, more widely recognized under the ShinyHunters brand.
The group’s playbook begins with credential harvesting. Reused or phished single sign-on (SSO) credentials gave them initial access. Once authenticated, they moved laterally using the victim’s privileges (unnoticed) before escalating access through malicious Connected Apps. By generating long-lived OAuth tokens, they could bypass multi-factor authentication (MFA) entirely and avoid triggering standard security alerts.
For example, The Google breach became the highest-profile example of this method. In June 2025, attackers compromised a corporate Salesforce instance used to manage prospective Google Ads customer information. Attackers exposed approximately 2.55 million records, including business names, phone numbers, and sales follow-up notes. This is data with high value for phishing and fraud campaigns. Google stated that the data was largely public-facing and unrelated to Ads product systems, but the incident showed how attackers can weaponize even ‘non-sensitive’ CRM data once they exfiltrate it. GTIG confirmed the breach was part of the UNC6040/ShinyHunters activity, with custom tools used to accelerate Salesforce data extraction.
UNC6040’s access method didn’t rely on technical exploits. Instead, attackers impersonated IT support and used voice phishing (vishing) to walk employees through Salesforce’s Connected App setup page. They would instruct the target to enter an 8-digit connection code, which authorizes a rebranded version of Salesforce Data Loader (often called “My Ticket Portal”). This malicious app then granted persistent, privileged access without MFA. From there, data exports could occur quietly over time, and in some cases attackers pivoted into connected platforms like Microsoft 365 or Okta.
Confirmed victims include Google, Allianz Life (impacting the majority of its 1.4 million customers), LVMH brands Louis Vuitton, Dior, and Tiffany & Co., Adidas, Qantas, and Chanel’s U.S. client-care database. In each case, attackers used variations of the same method to gain long-lived access and extract CRM records.
UNC3944 / Scattered Spider: identity and workflow exploitation across industries
UNC3944, also known as Scattered Spider, is a long-running threat group that focuses on identity-driven intrusions across cloud and enterprise environments.
Like UNC6040, their defining move is manipulating IT support and identity provider (IdP) workflows to escalate access. Once inside, they authorise third-party data integration tools to extract cloud data without detection.
Specifically, observed techniques include:
Persuading help desks to escalate permissions under false pretences
Exploiting IdP integrations to maintain persistence across multiple systems
Deploying virtual machines for staging and long-term access
Tim West, Head of Threat Intelligence at WithSecure, notes: “Scattered Spider deploy social engineering to gain access to SaaS environments. Their attacks may look technically simple, but that doesn’t make them any less dangerous. They’ve been linked to the MGM and M&S breaches.”
In June 2025, Google confirmed that ShinyHunters breached one of its Salesforce CRM instances used to manage prospective Google Ads customer data. The company said that the incident was part of the same campaign its Threat Intelligence Group had tracked, which had already targeted other organizations through voice-phishing (vishing) and OAuth abuse.
As a result, attackers accessed records containing business names, contact information, and sales follow-up notes. Google stressed that the data was largely public and did not affect Ads-related systems such as Google Ads, Merchant Center, or Analytics, but the case showed how attackers can weaponize even ‘non-sensitive’ CRM data when they take it in bulk.
The incident underscores a broader trend: attackers can weaponize CRM-level business workflow information for phishing, fraud, and follow-on compromise at scale, even when the stolen data appears “non-sensitive”.
From help desk to breach: The same tactics behind the UK’s retail cyberattacks
Just months before Google’s disclosure, major UK retailers including M&S, Co-op, were forced offline by a wave of ransomware and data theft attacks attributed to Scattered Spider (UNC3944). The breaches began with help desk impersonation and social engineering, enabling lateral movement and large-scale data exfiltration from inside trusted systems – all without exploiting technical vulnerabilities.
The attack methods remain consistent: impersonating IT support staff, manipulating help desks (both internal and outsourced), and bypassing MFA to gain trusted access. Contact centers are a known soft spot, often targeted first due to their broad access and lower security controls.
What’s more, in some cases attackers reportedly used deepfake audio to impersonate employees and persuade help desk staff to authorize rogue access. Once inside, they quietly extracted sensitive data for extortion and, in some cases, deployed ransomware.
“Organizations need to be conscious that when outsourcing administrative functions – such as help-desk or management of Salesforce services – they are also extending their threat surface, and outsourcing security culture. There is no ‘silver-bullet’ technology that mitigates human risk,” West highlights.
When attackers exploit trust in one system, they often gain access to others just a few steps away.
When insurance firms get targeted: CRM data at risk
Attackers know insurance CRMs hold a goldmine of personal data. That makes them the perfect targets for fraud, false claims, and even building synthetic identities.
Allianz Life saw over a million customer records siphoned via a rogue Salesforce Data Loader app. Farmers Insurance was hit in a similar way, with more than 1.1 million customers impacted through a third-party database breach. In both cases, social engineering and trusted integrations opened the door.
The takeaway is clear. CRM-level data – which insurers manage in huge volumes – is more than enough to draw attackers in.
Workday breach: Payroll, HR and CRM data compromised
In July 2025, Workday disclosed that threat actors accessed a third-party CRM platform through a social engineering campaign. The company stressed that there was no impact on its payroll or HR customer tenants, and the information obtained was mostly business contact details such as names, email addresses, and phone numbers.
Even if the data taken wasn’t highly sensitive, the way it was stolen follows a familiar playbook. Attackers lean on trust, trick people into giving up access, and then use even basic CRM details to fuel bigger scams. Think from phishing to fraud to setting up the next breach.
Google and Mandiant say the tokens were compromised across Salesforce and related systems, forcing urgent revokes and resets. There’s no evidence of a flaw in Salesforce itself. Still, the ecosystem took a hit.
Notably, several cybersecurity vendors appeared on the confirmed list of victims.
Zscaler, a cyber security company, is one of the affected customers. Zscaler confirmed that its Salesforce instance was accessed through stolen Salesloft Drift tokens. The company stressed that its core products and infrastructure were untouched, but attackers still obtained customer information.
Misinformation has clouded the Salesloft Drift hack, but one thing is clear: attackers gaining access to customer data from leading security providers creates far-reaching implications for trust and supply chains.
Coca-Cola: Middle East employee data leak
In May 2025, the Everest ransomware group attacked Coca-Cola’s operations in the Middle East. The group accessed and leaked over 1,100 HR files, including:
Personal identification documents
Salary and banking details
Internal org charts and account structures
The breach affected nearly 1,000 employees across the UAE, Oman, and Bahrain. Reports indicate that Salesforce file access was part of the attack chain.
Coca-Cola Europacific Partners: 23 million records exposed via Salesforce
In a separate incident, the Gehenna group breached Coca-Cola Europacific Partners (CCEP) Salesforce dashboards and exfiltrated over 23 million records. This included:
7.5 million account records
9.5 million customer service cases
6 million contact entries
400,000 product records
Soon after, the sample data was published on public breach forums. The attackers also contacted employees, signaling intent to sell or release more data unless paid.
Why this matters, and what comes next
Salesforce is central to how many organizations operate. It holds loads of sensitive customer records, sales data, intellectual property, and internal support content. Files and links flow through it every day. It’s deeply integrated with other cloud services.
Consequently, this level of access and automation makes it highly attractive to attackers. And yet, Salesforce environments often operate without the same level of monitoring or control applied to other enterprise systems.
When observing Salesforce attacks, we’ve seen phishing links embedded in business documents. Data exfiltrated directly from support systems. Malicious files distributed via workflow automation. Each case shows how attackers seek to exploit Salesforce’s built-in functionalities.
A human error triggered these recent Salesforce breaches. Someone answered a call and made a click. You can’t stop every slip, but you can stop the fallout: malware detonating inside Salesforce or phishing links being passed around.
This isn’t hypothetical. Threat actors are already targeting Salesforce directly – using impersonation, stolen credentials, and OAuth abuse to establish long-term access. The UK retail breaches show just how public and damaging these tactics have become.
If that’s already happening, the next question is clear: what happens when even more threat actors start treating Salesforce as the new and effective entry point?
Today it’s vishing and OAuth tokens. Tomorrow, when those doors close, where will the attackers pivot?
Threat actors are shifting focus to systems where trust is built in. They don’t need to break through technical barriers when users are already opening the door, whether by approving a connected app, using single sign-on without MFA enforcement, or responding to a convincing IT support call.
The Salesforce threat surface is expanding:
Users are uploading and sharing more files
Portals and agents interact with customers at scale
Connected apps have broad privileges, often without visibility
Credentials are being reused or phished, giving attackers direct entry into CRM environments
In many cases, attackers who compromise a credential can quietly authenticate, pivot across cloud services, and extract data without triggering alarms. They often maintain access long after the initial breach.
Without inspection and control, these access pathways become vulnerabilities. And the cost of exposure – operational, legal, reputational, strategic – can be difficult to contain.
Attackers have leaned hard on psychological pressure . They’re naming victims in public, spinning up leak sites overnight, and exaggerating how sensitive the stolen data is. It’s all about forcing payment and making the next target think twice.
Salesforce has issued a warning for customers, where they emphasise that these incidents are not due to a platform vulnerability, but to targeted phishing and social engineering against customers. They recommend measures such as enforcing MFA, applying least privilege, restricting login IP ranges, managing Connected Apps carefully, using Salesforce Shield for event monitoring, and designating a Security Contact for incident communication.
Worth highlighting is that many of these Salesforce attacks don’t rely on technical exploits, but succeed through access. And that access often begins with compromised credentials.
The compromise might come from a phishing link. Or from login details exposed in a third-party breach. Credentials dumped on the dark web are frequently recycled across systems, giving attackers an easy way in. As attackers increasingly exploit legitimate access methods and IT support workflows, even one reused password or stolen credential can open the door to Salesforce… and everything it connects to.
Indeed, as Google’s case shows, even a narrowly scoped Salesforce instance with limited business data can still be targeted and exploited when attackers have a working playbook and automation to exfiltrate it at scale.
Extortion escalates: Scattered Lapsus$ Hunters launch public leak site
In early October, a group calling itself Scattered Lapsus$ Huntersbegan leaking data stolen from Salesforce customer environments. The collective – claiming links to ShinyHunters and Scattered Spider – published samples from 39 global brands and even issued a ransom demand directed at Salesforce itself. The collective claimed to hold roughly one billion records and threatened to leak them publicly if payment wasn’t made. As of now, the claims have not been independently confirmed, but the group has started to leak data of several victims, including airlines.
Salesforce stated there’s no evidence of a platform compromise, noting that these extortion attempts relate to past or unsubstantiated incidents. Salesforce continues to work with law enforcement and affected customers, encouraging all organizations to stay vigilant against phishing and social engineering.
What started as social engineering and OAuth abuse has now turned into open extortion. The wave of breaches has also led to at least 14 lawsuits filed against Salesforce, highlighting growing tension around shared responsibility in SaaS security.
What you can do in light of Salesforce attacks
To that end, you can’t prevent every phishing email. You can’t control which credentials show up on the dark web. And no help desk workflow is completely immune to social engineering.
But you can still take control over what happens next. And as these recent Salesforce attacks underline, proactive security strategies are key.
These practical recommendations help reduce risk across identity, access, and content:
Audit and visibility Audit connected apps and user activity in Salesforce. Regularly review and revoke unused or high-privilege accesses. Monitor for suspicious login behavior, including unexpected bulk data exports, spikes in Data Loader/API calls, or new Connected App authorizations.
Identity and access controls Enforce phishing-resistant MFA across all user roles and integrations. Apply least privilege principles and limit admin access. Harden IT support processes against impersonation tactics by requiring no-exceptions callbacks to a known internal number before honoring privileged requests. Include Salesforce in access governance reviews.
Credential compromise monitoring Ensure you can detect credential compromise, rapidly revoke access, and restore clean Salesforce configurations and data when needed.
Real-time content protection Use natively integrated threat protection to inspect files and links directly in Salesforce. Minimize human error by preventing phishing links and malware from spreading through cases, chats, and portals – not just email.
Phishing and user awareness Educate users about social engineering methods, voice phishing (vishing), and fake app installs targeting Salesforce. Train staff to recognize and report malicious Connected App requests, especially those involving “connection codes” or unexpected Data Loader authorizations.
Third-party systems and integration risk Review and vet all connected apps and external platforms, especially support tools, help desks, and ticketing systems. Limit “connection code” installs to admins and restrict high-risk logins to trusted IP ranges.
Incident response preparation Include Salesforce in incident response and recovery plans. Prepare customer-notification and legal/PR workflows specifically for CRM data exposure cases, and pre-plan your response to potential private extortion emails.
Think of Salesforce like the front door to your business. You can have the strongest locks in the world, but if you leave the door wide open, attackers don’t need to pick anything. They just walk straight in.
That’s what happens when malware or phishing links flow unchecked through Salesforce. You’ve locked the perimeter, trained your staff, tightened identity controls. Yet the most obvious door is still wide open.
Real-time protection against cyber attacks targeting Salesforce
Most security tools don’t see what’s happening inside Salesforce. That’s why we built a native layer of protection: to give you the visibility and control that would otherwise be missing in Salesforce.
It blocks malicious files and phishing links before they land in front of users. It inspects content shared via email, portals, cases, and automation in real time. And soon, it will monitor compromised credentials being used to get into Salesforce.
Attackers change tactics fast. Your defenses should keep up just as quickly. WithSecure Cloud Protection for Salesforce sets up in a few clicks and gives you the baseline hygiene Salesforce can’t be without. It stops breaches before they have a chance to spread and cause damage.
Prevention is always cheaper than recovery.
🎥 Why Salesforce is now a prime target for cyber attacks | expert interview:
I sat down with WithSecure’s Head of Threat Intelligence, Tim West, to unpack what’s really happening behind the scenes of recent Salesforce attacks, and how security teams can stay ahead of the curve.
Hit play to watch the full discussion.
Breaches don’t stay in one lane
Data flows between Salesforce and other cloud systems. Protecting Salesforce isn’t just about Salesforce.
OAuth abuse today, zero-day malware or something else tomorrow.
Like a wise man said, if you have several holes on your ship, you don’t just plug one – you need to fix them all. This applies to your Salesforce security, too.
As we head into Dreamforce 2025, one thing is clear — this year, Salesforce security isn’t just another track. It’s a major story.
Over the past year, organized cybercrime groups have successfully targeted enterprise Salesforce environments, with stolen data surfacing on the dark web. Add lawsuits from global brands like Adidas and L’Oréal, and the conversation has shifted from “someday” to right now. From my perspective, this is shaping up to be the most security-focused Dreamforce yet. And rightly so.
Why this matters now
Dreamforce is about connection — the networking, inspiration — but you can’t just focus on the rewards. Security might not be the life of the party, but it’s what separates truly trusted companies from the rest. For me, Dreamforce is about moving from fear to readiness: understanding what’s behind the recent attacks and what must be addressed today.
In a recent webinar, I sat down with Karmina Aquino, our Threat Intelligence Lead, to unpack the surge in Salesforce breaches. As Karmina explained:
“A group tracked as UNC 6040 posed as IT personnel and guided users into authorizing a connected app they controlled — like Data Loader. Once users clicked Allow, the attackers pulled valid OAuth tokens and exported data directly through Salesforce’s APIs.”
These weren’t core-platform exploits. As Karmina put it:
“The weakness wasn’t in Salesforce’s core security — it was in how the attackers tricked people into giving them the keys.”
In other words, they didn’t break in; they logged in.
Why Salesforce is such a valuable target
Salesforce is far beyond CRM — it’s an operational backbone. Karmina again:
“It’s where high-value customer and sales pipeline data live… Once attackers have valid tokens, they can export records at scale, or even use Salesforce to deliver malicious content because employees and partners inherently trust it.”
That “trusted” status is why attackers love it — few expect a threat to come from inside their business apps.
Shared responsibility — and the quality gap
Salesforce has rolled out important changes (stricter approval for uninstalled connected apps; removal of the OAuth device flow used in the attacks). That’s progress — and a reminder of the shared responsibility model in SaaS. Salesforce provides controls and an ecosystem; customers decide how to apply deeper security.
This shared-responsibility model isn’t unique to Salesforce — it’s part of a broader shift toward cloud-first security across SaaS environments, where visibility and control must extend beyond the platform itself.
That’s where WithSecure Cloud Protection for Salesforce helps teams replicate existing zero-trust posture inside Salesforce — scanning files and URLs in real time, and adding identity signals so admins see risky users and compromised credentials early. Attackers aren’t brute-forcing; they’re using stolen credentials and approved tokens — making content scanning, identity monitoring, MFA and least-privilege essential, not optional.
Even with those controls in place, risks can creep in through human error or over-permissioning. As we’verecently explored, unchecked access rights and excessive privileges often become the weakest link — not because of technology gaps, but because of process and governance issues.
What I’ll be looking out for at Dreamforce
Dreamforce 2025 feels different. Security isn’t a side note this year — it’s woven through nearly every track and keynote.
I’m particularly keen to see how Salesforce’s recently announced partnership with CrowdStrike and its new Security Agent and Security Data Fabric capabilities come to life. These moves show Salesforce taking security more seriously than ever, and I’ll be watching closely to see what that means in practice for customers and partners.
Beyond the product launches, I’m hoping to get into a few of the security-focused sessions that explore how organizations can innovate safely with Agentforce and Data Cloud without compromising trust. It’s a balance many customers are wrestling with right now — how to move fast while staying secure — and I’m looking for real-world examples of teams getting it right.
If you’re building your own agenda, start with the security filter in the Dreamforce session catalog. You’ll find a strong lineup across breakouts, theaters, and hands-on workshops focused on Agentforce guardrails, Data Cloud security, and admin best practices. A few I’ll be bookmarking:
Introducing Security Data Fabric: Unify Signals Across Silos – A look at Salesforce’s new unified security data layer for faster detection and response.
Trust & Security at Dreamforce – A series of sessions covering admin techniques, securing Data Cloud for trusted AI, and steps to harden Agentforce implementations.
It’s not just about the technology for me, though. I’m just as interested in hearing from customers — how they’re improving their own Salesforce security outcomes and embedding security as a continuous quality function, not a one-off initiative.
Security at Dreamforce isn’t a moment. It’s a movement — and I’m looking forward to seeing how the conversation evolves this year.
Three things you can do right now
Audit connected apps — revoke unused or unrecognized OAuth access.
Enforce least-privilege — tighten user and integration scopes; add IP restrictions for integration users.
Make MFA non-negotiable — and monitor anomalies (new app approvals, unusual API usage, export spikes).
These aren’t flashy — but they’re foundational. They make every other security control more effective.
Looking ahead
“For all the new tech and partnerships, one truth remains: good outcomes are built on people, process, and technology — in that order. We’ll be at Dreamforce to help teams strengthen posture across all three — from real-time file/URL protection to identity-risk insights and practical governance checks.
If you’re looking to strengthen your own Salesforce environment,WithSecure Cloud Protection for Salesforcedelivers that protection natively — without slowing productivity.Security shouldn’t block innovation; it should enable it.”
Catch us at Dreamforce 2025
Heading to Dreamforce? Come find us at booth #321 in the Campground for a Salesforce security conversation — and a glimpse at how we’re helping customers protect Agentforce and Data Cloud environments in real time.
Salesforce security matters more than ever in 2025
Salesforce is the backbone of digital transformation for over 150,000 organizations worldwide. In 2025, attackers are targeting it more aggressively than ever.
As businesses embrace agentic AI, cyber threats evolve in tandem. Ransomware can infiltrate through file uploads, phishing links can hide within customer interactions, and attackers are constantly seeking novel ways to enter corporate networks. Securing Salesforce data and eliminating cyber threats among it is the responsibility of the customer. In a highly connected environment, you should not rely on protection measures outside Salesforce – such as email security – alone.
Security and Salesforce teams alike must ask themselves in 2025:
How can we secure Salesforce from malware and phishing without adding complexity and inefficiency?
Which security solution ensures compliance, seamless integration, and cost effectiveness?
What tools are compatible with our Salesforce roadmap?
What are the hidden risks of choosing the wrong approach?
This buyer’s guide will help you navigate those questions by explaining why native Salesforce threat protection is now a baseline requirement, how it differs from older approaches such as CASBs and non-native integrations, and what to look for when comparing vendors.
Why native threat protection is essential for Salesforce
As Salesforce becomes more deeply embedded in business operations, security must evolve alongside it. Files are uploaded, URLs are clicked, and AI-driven automation accelerates processes – creating new attack surfaces. Cybercriminals take advantage of these entry points, embedding malware in file uploads, disguising phishing links in records, and exploiting integrations to launch supply chain attacks.
Despite its abundant security features, Salesforce does not include built-in malware scanning or phishing protection. This forces security teams to decide: should they rely on external tools that introduce complexity and integration risks, or choose a fully native solution designed to secure Salesforce from the inside?
A Salesforce-native security solution operates directly within the platform, without the need for external dashboards, API connections, or third-party portals. This ensures real-time scanning, seamless automation, and airtight compliance. Effectiveness comes without slowing down workflows or introducing new security gaps. And a solution that is developed in close partnership with Salesforce ensures compatibility with the platform roadmap, too.
Unlike non-native solutions and CASBs, a truly native threat protection solution like WithSecure™ Cloud Protection for Salesforce scans files and URLs in real time, blocking ransomware, phishing, and malware at the source. Enterprises and public sector organizations need in-depth protection that easily scales with their needs without complexity, slowdown or hidden costs.
Alternative: CASB solutions
Common drawbacks Complex setup, detection delays, API integration risks, performance slowdowns, hidden infrastructure costs.
How WithSecure™ solves this Instant deployment, no external API reliance, real-time scanning, and lower operational overhead.
Alternative: Non-native security solutions
Common drawbacks Requires external portals, API connections, and external data processing, leading to security gaps and compliance issues.
How WithSecure™ solves this 100% Salesforce-native with no external dependencies, ensuring complete control and compliance.
Alternative: DIY internal AV tools
Common drawbacks High maintenance, slow response times, no real-time protection, compliance challenges, resource-heavy development.
How WithSecure™ solves this Fully managed package requiring no maintenance, with automated updates and proactive threat blocking.
Alternative: Open-source security tools
Common drawbacks Unpatched vulnerabilities, dependency risks, lack of dedicated support, no phishing protection, no AI-based detection.
How WithSecure™ solves this Certified, continuously updated solution with multi-layered security intelligence and dedicated expert support.
Salesforce security options compared
CASBs for Salesforce security: benefits and major drawbacks
Cloud Access Security Brokers (CASBs) provide cloud security by acting as intermediaries between users and cloud applications. While CASBs offer policy enforcement and visibility across multiple cloud platforms, they are not purpose-built for Salesforce security and introduce several significant drawbacks for organizations requiring real-time, advanced threat protection. CASBs often introduce a plethora of unnecessary capabilities and complexity, that can bring more harm than good when aiming to sustain a streamlined and healthy Salesforce environment.
Common issues with CASB solutions
Complex deployment and management – CASBs require extensive configuration, long deployment times, and specialized expertise to maintain.
Limited real-time threat protection – Most CASBs rely on batch processing instead of real-time scanning, allowing threats to go undetected for hours or even days.
No real-time phishing protection – CASBs typically lack phishing protection that blocks malicious links at the moment of click.
Delayed malware detection – Malware scanning is often limited to file uploads, meaning dormant threats can activate later.
Performance and latency issues – CASBs sit between users and cloud services, potentially slowing down Salesforce workflows and resulting in delayed security and visibility.
Data security and compliance risks – Files and URLs are often sent outside Salesforce for scanning, creating potential compliance and data exposure risks.
Lack of deep Salesforce visibility – CASBs focus on securing multiple cloud applications but do not provide in-depth protection for Salesforce-specific objects.
High total cost of ownership (TCO) – CASBs come with hidden costs, including licensing fees, external hosting charges, and ongoing maintenance efforts.
CASBs provide general cloud security but fall short in delivering real-time, Salesforce-specific threat protection. Their complexity, lack of real-time scanning, and potential compliance risks make them unsuitable for enterprises and public sector organizations that require robust Salesforce-native security.
Non-native third-party solutions: hidden costs and gaps
Some vendors claim to offer Salesforce native security, but their solutions aren’t truly native – even if they provide a Salesforce app or UI integration. These solutions rely on external portals, API connections, and heavy off-platform processing, introducing security gaps, operational inefficiencies, and higher maintenance burdens.
Common issues with non-native Salesforce security solutions:
Not truly Salesforce-native – These solutions require external portals, meaning security teams must manage threats outside Salesforce, adding complexity.
API-dependent integration – Security checks rely on API connections, which can introduce latency, potential vulnerabilities, and increased attack surfaces. Many Salesforce workflows, especially the agentic AI ones, rely on fast performance. Security that slows things down, adds as much problems as it solves.
Data leaves Salesforce – These solutions send all files and URLs to an external service, even if they are not suspicious. This increases exposure risks and raises compliance concerns.
Limited real-time threat protection – Many non-native solutions scan at the time of upload or post but don’t continuously monitor for evolving threats, such as phishing links that become malicious after posting. Security capabilities are likely limited in terms of entry point coverage, too, missing protection for Agentforce and custom fields, for example.
Detection vs. prevention – Some solutions only detect threats, requiring manual remediation, rather than actively blocking malicious content before damage occurs.
Limited investment in continuous threat research – Non-native solutions may lag behind evolving threats, particularly when it comes to how Salesforce is exploited.
Manual software updates – Unlike Salesforce-native solutions that update seamlessly, these tools often require manual intervention, increasing maintenance overhead.
Scalability challenges – These solutions may struggle to scale with growing organizations, requiring additional infrastructure and licensing costs as Salesforce environments expand.
Higher total cost of ownership (TCO) – Hidden costs such as extra hosting fees, API costs, and additional maintenance resources make these solutions expensive over time.
Uncertain product lifecycle and support – The longevity and continued investment in the product can vary. Does the vendor have a dedicated Salesforce security team, or is the product in maintenance mode with limited focus? Are new Salesforce platform capabilities like Agentforce supported with new security features?
A fragmented, non-native approach that increases security blind spots, inefficiencies, and compliance risks while demanding higher operational effort and costs. For enterprises and highly targeted organizations, a fully Salesforce-native solution ensures stronger protection, real-time security, and a lower long-term cost of ownership.
Some organizations consider building their own malware scanning solution for Salesforce, believing it to be a cost-effective and customizable approach. However, developing and maintaining an internal AV tool comes with significant resource, security, and compliance challenges—often making it an inefficient and risky choice.
Common issues with internal solutions
Time-consuming deployment – Building a security tool from scratch is a long and complex process, leaving Salesforce unprotected for months or longer.
High development and maintenance costs – Maintaining network security, cloud stability, and scanning engine connections requires ongoing investment in infrastructure and skilled personnel.
Not real-time protection – Many DIY solutions rely on scheduled or reactive scanning, failing to block threats at the moment of upload, download, or click.
Manual threat response required – Unlike automated security solutions, internal tools often require manual review and removal of threats, increasing response times and risk. Especially in case of rapidly moving Agentforce and AI use cases, speed is key in defence.
Compliance risks – Ensuring certifications like ISO 27001, SOC 2 Type 2, GDPR, and ISAE 3000 is complex and time-intensive, making DIY solutions a liability for regulated industries.
Limited threat intelligence – Internal solutions lack access to global, real-time threat intelligence, making them ineffective against zero-day threats, advanced phishing techniques, and evolving malware tactics.
No dedicated support – If the tool fails or is compromised, organizations are left to troubleshoot and mitigate issues without external security expertise.
Scalability challenges – As Salesforce environments grow, internal solutions may struggle with multi-org protection, integrations with SOC/SIEM tools, and expanding security requirements.
Hidden total cost of ownership (TCO) – Hosting, maintenance, compliance, and security updates require constant resources, making long-term costs unpredictable and often higher than expected.
Why DIY security is a risky bet? While internal tools may seem like a flexible solution, they introduce security blind spots, operational inefficiencies, and compliance risks. Security for Salesforce requires continuous updates, real-time protection, and expert management—something few organizations can maintain internally.
Open-source Salesforce security: high risk, high maintenance
Some organizations consider using open-source security solutions for Salesforce to reduce costs and gain customization flexibility. However, open-source tools present significant security, compliance, and operational challenges, which makes them an impractical choice for enterprise-level protection.
Common issues with Open Source solutions
Security vulnerabilities – Open-source tools often contain unpatched vulnerabilities, and publicly disclosed security flaws can be exploited if updates aren’t applied promptly.
Lack of active maintenance – Many open-source projects are developed by volunteers, leading to slow patching cycles, outdated software, and a lack of long-term support.
Dependency management risks – Open-source projects rely on multiple third-party libraries, making it difficult to track vulnerabilities in dependencies and apply necessary updates.
Susceptibility to supply chain attacks – Threat actors can compromise popular open-source libraries, injecting malicious code that spreads across all dependent projects.
No security oversight by Salesforce – Open-source security solutions aren’t reviewed or optimized for Salesforce, meaning potential gaps in protection and poor compatibility with native features.
Limited detection capabilities – Most open-source AV scanners rely on signature-based detection, lacking advanced behavioral analysis, AI-driven threat detection, or sandboxing for sophisticated malware.
No real-time phishing protection – Open-source tools often lack URL scanning and analysis, leaving organizations exposed to phishing attacks targeting Salesforce users.
Manual updates and maintenance required – Security definitions, software patches, and configurations must be updated manually, increasing the risk of outdated protection.
Infrastructure and performance burden – Open-source scanners typically require external servers, adding complexity, performance bottlenecks, and extra security risks.
No automated threat response – Unlike commercial solutions, open-source tools often only detect threats, requiring manual intervention to remove malicious files or block harmful URLs.
No dedicated support – Without a vendor-backed support team, organizations must rely on community forums and open-source documentation for troubleshooting, which can delay issue resolution.
Compliance risks – Open-source solutions typically lack certifications like SOC 2 Type 2, ISO 27001, GDPR, and ISAE 3000, making them unsuitable for enterprises with strict regulatory requirements.
While open-source solutions may seem attractive for their low upfront costs, they come with hidden risks, resource-heavy maintenance, and major security gaps.
Open-source security is a patchwork solution that leads to constant firefighting, and likely covers the most basic security use cases at best.
Relying on email security alone: a critical Salesforce blind spot
Enterprises by and large have strong email security defenses, but unfortunately cybercriminals have adapted to these. As email security has improved, attackers have shifted their focus to other vulnerable entry points. Salesforce is one and has often been overlooked in security strategies. Relying on email security alone to protect Salesforce leaves organizations exposed to evolving cyber threats.
Common issues with relying on email security for Salesforce
Phishing is no longer just an email problem – 26% of cyberattacks now exploit public-facing applications like Salesforce, according to IBM, meaning phishing attempts now bypass traditional email defenses entirely.
Salesforce lacks built-in anti-phishing and anti-malware protection – Unlike email, Salesforce does not have default security features to detect malicious files or links. Email security simply does not reach the platform once the threat enters it – and this can happen outside email, for example through Agentforce use cases and omni-channel suppirt flows.
Users trust Salesforce more than email – Employees have been trained to spot phishing emails but may not expect the same threats inside Salesforce, making them more likely to fall for social engineering attacks.
Malware and phishing links spread within Salesforce – A file uploaded to a Salesforce record is out of email security solution’s reach. It can be shared across teams, spreading malware internally before detection. Phishing links embedded in Salesforce records can sit undetected, becoming malicious later.
API and integration risks – Salesforce connects with email, document-sharing platforms, and ERP systems, creating a broad attack surface that email security alone cannot protect.
While email security is critical, it does not protect Salesforce against modern threats. A multi-layered approach is necessary – one that includes real-time threat detection within Salesforce to block malware and phishing attempts before they reach users.
Note: Relying on your last line of defense like the endpoint security solution alone, is also highly risky and insufficient.
WithSecure Cloud Protection for Salesforce: a native security solution
A Salesforce-Native Security Solution for enterprises and public sector organizations
WithSecure Cloud Protection for Salesforce is a 100% native security app, purpose-built to protect Salesforce environments against malware, ransomware, phishing, and evolving cyber threats. Unlike CASBs, open-source tools, DIY internal solutions, or non-native third-party security platforms, WithSecure™ provides real-time, automated protection with seamless Salesforce integration—without security gaps, performance slowdowns, or hidden costs.
Advantages of WithSecure – purpose-built for Salesforce security:
Seamless native integration – Fully embedded within Salesforce, requiring no external dashboards, API-dependent scanning, or third-party hosting. Evolves in step with the platform, and offers trailblazing security capabilities for new use cases like Agentforce.
True real-time protection – Instantly scans every file and URL before threats reach users. Prevents access to malicious files and phishing sites at the moment of click, blocking dormant threats before they become active.
Advanced multi-engine anti-malware – Stops both commodity malware and sophisticated targeted threats using layered detection techniques.
Sandboxing threat analysis for zero-day attacks – Detects emerging threats with behavioral analysis, not just signature-based scanning.
Real-time security visibility – In the event of a security incident, knowing exactly what files have been found malicious, all the locations for them, and which users are affected enables you to respond faster and more effectively, eventually minimizing damages.
Optimized for speed – Runs directly inside Salesforce with minimal latency, and no impact on workflows and user experience.
Fully automated – automated threat detection and response, and automated software updates.
Scalable for enterprise & public sector use – Protects multiple Salesforce orgs with centralized security controls, and global data residency options.
Compliance-ready security – ISO 27001 & ISAE 3000 (SOC 2 Type 2) certified, meeting regulatory demands for governments, financial services, healthcare, and critical industries.
Lower total cost of ownership (TCO) – Eliminates the hidden expenses of CASBs and non-native solutions – no extra hosting fees, no API charges, and no additional infrastructure needed.
Enterprise-grade support & dedicated security experts – Access to 24/7 technical support, a dedicated Customer Success Manager, and a strategic Salesforce security partnership.
How to choose the right Salesforce security solution
Key questions security leaders must ask in 2025:
Who is the solution built for? Does it align with the security needs of large enterprises, government agencies, and highly targeted industries that demand advanced threat protection, compliance, and a trusted security partner? Or is it designed for smaller companies with only basic cybersecurity requirements?
Is the solution truly Salesforce-native? Does it fully operate within Salesforce, or does it require an external portal and API integrations, increasing complexity and potential vulnerabilities?
Does it provide real-time scanning? Can it detect and block threats instantly – or does it rely on scheduled or manual scans that leave security gaps?
Does is provide real-time visiblity? Does the solution offer real-time view into what is happening in the Salesforce environment? Does it offer an efficient way to filter out threats and security events?
How is data handled? Is all data processed within Salesforce, ensuring compliance and minimal exposure, or is it sent externally for analysis, increasing risk?
Does it meet compliance needs? Does the vendor hold and maintain SOC 2 Type 2, ISO 27001, and GDPR certifications—critical for regulated industries?
What level of support is provided? Is there 24/7 expert support for critical issues, or only basic ticketing with long response times?
Does the solution evolve in parallel with the Salesforce platform? Does the solution adapt to new platform capabilities like Agentforce? Or is it left behind, introducing security loopholes or hindering the roadmap?
What expertise does the vendor have? Does the company have deep in-house cybersecurity knowledge and a proven track record in guiding customers through Salesforce security challenges? If a serious threat emerges, can they provide swift, expert remediation?
What is the overall service reliability? Does the vendor provide consistent, high-quality service, or is their offering fragmented and dependent on third-party providers?
How much automation does it offer? Is the solution seamless and fully automated, or does it require manual updates and maintenance?
What is the total cost of ownership (TCO)? Are there hidden costs, such as API usage fees, external hosting, or additional infrastructure requirements?
Choosing the right security solution for Salesforce depends on the size, security maturity, and risk profile of your organization. Large enterprises, public sector entities, and highly targeted industries require a robust, reliable, and fully integrated security solution. They need a solution that is backed by a vendor with deep expertise and a commitment to long-term security and compliance.
Key takeaways: choosing Salesforce threat protection in 2025
Go native: only in-platform protection delivers real-time scanning for files and links without exporting data.
Plan for Agentforce: AI-driven workflows create new risks that non-native tools and CASBs can’t fully cover.
Check compliance: look for ISAE 3000 Type 2, SOC 2 Type 2, ISO 27001, and strong data residency controls.
Think beyond features: evaluate latency, hidden costs, and integration effort across your Salesforce roadmap.
Prioritize resilience: the right choice simplifies Salesforce security while reducing enterprise risk.
Build a secure, resilient Salesforce environment
Salesforce is too critical – and too heavily targeted in 2025 – to rely on security tools built for other platforms. Email gateways, endpoint defenses, and even CASBs leave blind spots that attackers can exploit through file uploads, phishing links, and now autonomous Agentforce workflows.
The right answer is native Salesforce threat protection: real-time scanning inside the platform, seamless integration with your org, and proven compliance with standards like SOC 2 Type 2 and ISO 27001. Choosing wisely doesn’t just reduce risk — it makes security simpler, ensuring Salesforce continues to be both your most powerful business platform and your most resilient.
If you’re responsible for Salesforce security, the right choice is one that scales with your business, secures your data, and stays ahead of threats before they become breaches. WithSecure™ provides the expertise, technology, and committed support you need to safeguard your Salesforce environment as it scales and evolves.
Ready to secure Salesforce against malware, ransomware, phishing, and AI-driven threats?
WithSecure™ Cloud Protection for Salesforce: the #1 Salesforce-native security solution trusted by enterprises and public sector worldwide.
Agentforce security – the new security aspect to consider in 2025.
Agentforce is changing how you work and how attackers get in. New agentic AI use cases create a new attack surface to consider in your security strategy.
AI agents now handle sales, service, and support autonomously, rapidly processing vast amounts of data. But while your operations scale at agentic speed, your attack surface does too.
There’s no built-in scanning for files or links. No phishing awareness in agents. No default safety net.
Malicious content moves at machine speed. That means threats like malware or credential phishing can flow through Agentforce workflows instantly: uploaded by a user, retrieved by an agent, delivered to your team or customers.
And attackers have noticed. Recent campaigns by groups like UNC3944 show how SaaS platforms like Salesforce are now primary targets for phishing, identity compromise, and lateral movement. As attackers shift toward SaaS platforms like Salesforce, this new AI-driven workflow introduces real risk.
Unless your security keeps pace, Agentforce could automate risk as fast as it automates work.
Securing Agentforce data is your responsibility
Agentforce accelerates business. But it also accelerates risk. In fact, 79% of security leaders believe AI-driven threats will soon outpace traditional defenses, as reported by Salesforce.
AI agents process files and URLs from portals, forms, and integrations like Slack or WhatsApp, without human review or built-in threat scanning.
That means your security perimeter now includes:
Phishing links: Instantly shared by agents, leading to credential theft or account compromise.
Malicious files: Uploaded by customers or partners, containing ransomware or other threats.
Human-agent interactions: Agents hand off data to employees, spreading threats across teams.
Collaboration tools: Shared files and links extend risk beyond Salesforce to every connected tool.
Salesforce doesn’t scan this content by default. And agents don’t know how to spot threats.
According to the Shared Responsibility Model, it’s up to you, the cloud customer, to secure the data flowing in and out of your Salesforce environment. Whether it’s touched by a human or an agent, protecting that data is your responsibility – including how it’s configured, accessed, and what’s allowed to pass through.
What an Agentforce attack scenario looks like
Without real-time scanning, threats can move faster than your defenses.
Imagine this:
A customer uploads a file through your portal, which it looks like a PDF, but it’s hiding malware.
An AI agent retrieves the file to process a support request or sales inquiry.
The agent sends it to an employee or forwards it to another tool like Slack or email.
The file is opened and malware executes. It’s already inside your environment.
From there, it spreads laterally, compromising accounts, data, and connected systems.
No human saw the file. No one clicked a phishing link. But the threat still made it in.
This is how agentic speed becomes attacker speed. Unless you scan every file, URL, and agent action in real-time.
How to secure Agentforce workflows
Agentforce makes decisions in seconds. Your security needs to move even faster.
WithSecure™ Cloud Protection for Agentforce is built to protect both autonomous AI and human workflows in real time. It operates right inside the Salesforce platform. No delays, no friction, no missed threats.
Real-time protection at agent speed Files and URLs are scanned instantly at upload, download, click, or agent retrieval before they can cause harm. Our detection completes faster than most AI agents can act.
100% Salesforce-native integration No external processing. No added complexity. No hidden vulnerabilities. Just seamless, frictionless, certified protection inside the platform.
Secures every interaction From customer uploads and portal forms to omni-channel support workflows — threats are intercepted wherever they enter.
Built for uptime and trust Protects workflows without disrupting AI autonomy, ensuring agent efficiency and security go hand in hand.
Agentforce adoption is only accelerating. As your teams deploy AI across more workflows and process more unstructured data, the security stakes grow just as fast.
More files. More links. More risk – unless your protection can keep pace.
WithSecure™ Cloud Protection helps you stay ahead of these changes. Our native solution scales with your AI transformation, giving you:
Consistent protection across all agent and human touchpoints
Real-time coverage that scales as fast as your workflows do
Confidence to expand, knowing your security keeps up with your AI transformation
Agentforce will help you move faster. We make sure you move securely.
Agentforce security in 30 seconds
Still have questions?
At WithSecure™, we’re committed to helping you make the most of Salesforce and Agentforce while fulfilling your security responsibilities. Together, we can ensure your agent-powered digital transformation is secure, seamless, and future-ready. If you’d like to learn more about how we can help safeguard your workflows, let’s connect.
Doesn’t Salesforce protect against these threats already?
Salesforce doesn’t scan links or files shared in Agentforce workflows unless you implement an additional security layer. It’s your responsibility to protect the data flowing through your AI workflows and automations.
We already have endpoint/email protection. Isn’t that enough?
Files and links can bypass traditional tools completely. If your AI agent clicks a phishing link or opens a malicious file inside Salesforce, your other tools may never see it. Only a native solution scans content where the agent acts, and at the point of entry.
How does this integrate with our setup?
WithSecure™ Cloud Protection is 100% Salesforce-native. It integrates seamlessly with your environment – no external routing, no added complexity, and no impact on agentic performance. The Agentforce extension comes with the main managed package at no additional cost. There’s no separate management portals or interfaces, no extra charge.
What makes this better than other security tools?
Only WithSecure scans inside Salesforce in real time — at the point of agent action. Competitors scan externally, after the fact, or not at all. That’s why real-time + native + agent-aware protection is unmatched.
Is this compliant and auditable?
Yes. You get full audit-ready logs, policy history, and certified trust (ISAE 3000 Type 2 / SOC 2 Type 2, ISO 27001). Every scan and decision is traceable, even the seemingly invisible agent actions.
Secure your agent workflows — in real time, with zero friction
WithSecure™ Cloud Protection protects what Agentforce accelerates. Real-time file and link scanning. 100% native. No added cost. No added complexity.
