Salesforce threat protection is no longer optional as attackers pivot to business workflows. In 2025, Salesforce has become one of the most targeted enterprise platforms. Nearly forty major companies, from Google to global insurers, have been listed on leak sites tied to breaches in their Salesforce environments. The business value and sensitive data it holds make Salesforce an exceptionally attractive target.

How WithSecure Cloud Protection secures your Salesforce environment in real-time

Traditional security tools stop where Salesforce begins.
Email filters scan inboxes.
Endpoint agents guard devices.
But Salesforce, where customer data, workflows, AI agents and automation meet, often sits outside that protection.

Salesforce is your operational headquarters, like a high-value command center where teams, partners, and AI agents move data in and out. Most security tools guard the perimeter far away from this center, not the place where operations happen.

Attackers know this. They move through trusted users, shared files, and automated processes that traditional security never sees.

WithSecure Cloud Protection for Salesforce brings enterprise-grade threat detection inside the platform. It scans files, URLs, QR codes, and identities in real time, stopping threats before they spread and making risks visible through unified analytics.

The native app secures Salesforce from the inside out instead of just guarding the surroundings.

The shared responsibility gap

Salesforce provides the energy grid, think of a stable power source that keeps the mission running. But it’s every organization’s job to protect what’s powered by it: the systems, people, and processes that rely on that energy. This is the essence of the shared responsibility model.

Protecting what your users upload, click, or automate inside that environment is your responsibility. Salesforce secures the cloud platform infrastructure; organizations must secure the activity and data within it. That’s where traditional “outside-in” tools have little to no reach.

Here’s what Salesforce security risks look like in practice

Attackers don’t necessarily smash windows, doors, and walls. They blend into routine traffic, tailgate through side doors, abuse trusted connections, or use borrowed keycards. Here’s how those break-ins happen inside Salesforce:

• A malicious attachment arrives through email-to-case and is uploaded into Salesforce without being scanned. When processed, an infostealer quietly harvests stored credentials and session cookies. The attacker uses those tokens to pivot, access reports and integrations, and quietly exfiltrate customer data over weeks before detection.
• A contractor account falls outside corporate IAM. Its password, reused on another service, appears in a third-party data breach. Attackers log in through Salesforce’s legitimate interface and start extracting customer data via reports and connected apps.
• A malicious URL or QR code is posted though a chat, and stored inside a case. It leads to a convincing fake login page; a user or agent follows the link and submits credentials. Those credentials are then used to access business processes and export customer data and trade secrets, which leads to extortion and loss of customer trust.

When risks unfold inside Salesforce, they are difficult to detect with external tools

These risk scenario examples show how mundane workflows — like email-to-case — become attack vectors when attachments are weaponized and processed inside Salesforce without inspection inside the platform. WithSecure Cloud Protection for Salesforce closes that gap with real-time, native protection where those actions happen.

When a breach occurs inside Salesforce, visibility dictates recovery time. Without in-platform detection and telemetry, organizations can spend weeks tracing infected records, workflows, and automations. WithSecure Cloud Protection reduces that window to hours, preventing prolonged downtime and preserving compliance readiness. In regulated sectors, this level of audit-ready visibility can be the difference between a contained incident and a weeks-long investigation.

Figure 1: Email-to-case is a common entry point: weaponized attachments arrive as routine tickets, get processed in Salesforce, and can lead to operational disruption or data exfiltration without in-platform inspection.

File protection — next-generation analysis inside Salesforce

Files are one of the most common delivery routes for threats. According to Verizon, ransomware is present in 44% of all breaches and it’s been on the rise recently. In Salesforce, file-based threats enter through forms, email-to-case, chats, user uploads or APIs, and often bypass traditional controls.

File Protection in WithSecure Cloud Protection for Salesforce scans every file in Salesforce at upload, download, on-demand, and in scheduled mass sweeps. It blocks malware, ransomware, and hidden cyber threats before they reach your users.

Every file is checked before it can do harm

If malware is a routine-looking harmful parcel that the threat actors aim to slip into the building, File Protection is the building’s baggage scanner that ensures every parcel that comes through the lobby is x-rayed before anyone can open it.

File Protection brings layered analysis directly into Salesforce:

1. Multi-engine malware detection checks every upload and download using AV-TEST–certified engines.
2. AI and heuristic analysis identifies suspicious or ransomware-like behavior missed by signatures.
3. Cloud sandboxing safely executes doubtful files to reveal zero-day and evasive threats.
4. Global threat intelligence enhances detection using telemetry from millions of daily analyses in the WithSecure™ Security Cloud.

Each file is fingerprinted, compared against known verdicts, and analyzed in the sandbox when needed. Only anonymized samples are processed by the threat analysis service.

Figure 2: End-user messages can be customized, here’s an example “harmful content blocked” notification.

Figure 2: The app replaces the removed malicious file with a text file so users can’t access it.

Extra layers for evasive content

• Detects hidden malicious URLs and QR codes inside files.
• Identifies spoofed extensions (for example, “.jpg.exe”).
• Blocks password-protected archives and risky file types such as executables and scripts.

For a complete breakdown of detection layers, platform coverage, and policy configuration options, visit the full feature list.

Proven real-time protection

Malicious files are intercepted at upload or download, before they reach users or automations.
All detections are stored for 24 months, including hash, verdict, and timestamp. This creates an auditable record trail of every event.

WithSecure’s detection engine, also powering the company’s enterprise endpoint products, earned AV-TEST’s Best Protection Award 2024 after a full year of flawless detection results across more than 90,000 malware samples.
That same engine protects files in Salesforce environments, providing independently verified detection accuracy against both known and emerging threats.

Figure 4: File Protection admin view showing scanning and policy controls.

Granular control where it counts – practical examples

Every organization handles files differently. WithSecure Cloud Protection for Salesforce lets admins tailor policies down to object level — defining what gets scanned, when, and how.

From the File Protection settings, you can:

• Decide whether to scan uploads, downloads, or both.
• Set different rules for Salesforce Files, Attachments, and Content Libraries.
• Customize actions for detections (block, remove, or quarantine).
• Manage exclusions for trusted workflows, test environments, or file types.

These granular controls make WithSecure Cloud Protection for Salesforce adaptable to diverse security and performance requirements from highly regulated environments to fast-moving teams.

Best practice: Enable scanning for both Salesforce Files and Attachments, activate Advanced Threat Analysis, and apply stricter policies for archives and Office files.

This is thorough protection applied where files actually live — inside Salesforce.

Figure 5: File Protection settings view showing customizable scanning and policy options.

URL and QR protection — stopping phishing in its new form

Phishing doesn’t end in the inbox. Links and QR codes now move through Salesforce records, case comments, and shared documents — unseen by external tools.

Phishing links are like forged orders that seem legitimate, but trick users into acting for the benefit of the threat actors.

URL Protection in WithSecure Cloud Protection for Salesforce scans embedded links for threats in real time.

Stop phishing attacks that hide in Salesforce

URL Protection inspects links at post and at click, across standard and custom fields and objects.
It decodes shortlinks, analyzes redirect chains, classifies domains, and scans QR codes embedded in files.

Advanced threat analysis and global threat intelligence detect newly registered or obfuscated domains before they become active threats. Even multi-layered tactics like malicious short links behind QR codes are detected. 

Time-delayed or redirected phishing links are stopped inside Salesforce, before users or agents can act on them.

Users see a clear “phishing blocked” message; admins see who posted or clicked and where.

Figure 6: URL events overview for the list of fresh URL detections

Figure 7: Detailed view showing blocked phishing link.

Content filtering — keeping Salesforce professional

Not every link is malicious; some simply don’t belong in your Salesforce space.

Content filtering is the office policy board, protecting the integrity of the environment. It keeps the hallways clear of scams and inappropriate material, maintaining a professional and comfortable environment for everyone who walks in.

Keep Salesforce clean, compliant, and on-brand

Content Filtering prevents inappropriate or policy-violating material, like gambling, scams, or illegal content, from entering Salesforce environments and communities.

Powered by domain intelligence, it blocks disallowed categories as users post or upload.
Admins select which categories or top-level domains to restrict, applying consistent rules across the instance.

It maintains a trusted workspace and reduces compliance exposure, especially in environments with external contributors.

Figure 8: Content Filtering configuration screen for disallowed domains and categories like spam or hacking.

Identity protection — catching compromise before access

If content threats are about what gets in, access control is about who is allowed in. Majority of breaches are attributed to identity compromises. These breaches start with a seemingly valid login. In Salesforce, attackers can use valid credentials stolen elsewhere.

Continuing on the operations center metaphor, a contractor’s stolen badge opens a side gate and the threat actor walks straight into restricted systems, extracting sensitive data as part of seemingly normal activity.

Catch stolen credentials before attackers use them

Identity Protection in WithSecure Cloud Protection for Salesforce detects compromised Salesforce user credentials before attackers use them.

Identity Protection continuously checks Salesforce accounts against verified breach intelligence. It covers internal and external users, scanning weekly and tracking 12 months of history. Each match shows where and when the breach occurred and how credentials were exposed.

It’s like your badge control system that verifies who walks in and flags stolen passes before they’re used to access restricted areas.

Admins can reset passwords, revoke sessions, or enforce MFA the moment an exposure is found.
All activity is logged for audits and compliance.

This early warning turns credential reuse from a hidden risk to a visible, fixable one.

Figure 9: Breach detail view showing exposed partner account and breach metadata.

Secure AI adoption — keeping Salesforce fast and safe

Agentic AI and automation drives efficiency, but with efficiency comes risk.
Agentforce agents act faster than humans, spreading both value and potential compromise.

As Agentforce brings autonomous workflows into Salesforce, you can think of it as a coordinated fleet of smart systems operating across a secure facility. The same rules apply as to humans. WithSecure Cloud Protection for Agentforce supports with this.

Extend the same real-time protection to your autonomous AI agents

WithSecure Cloud Protection for Agentforce add-on extends real-time scanning to every non-human action.

URLs shared to an AI agent, links shared by an AI agent, or records updated by AI agents are all inspected .

Events are logged with context and retention similarly as user action logs.

Automation runs at full speed under the same protection boundaries as human users.
Security scales with business, not against it.

Analytics and visibility — connecting every signal

Detection without visibility is guesswork.

Analytics acts as the building’s control room. Every door entry, camera feed, and alarm signal is logged, giving you a complete picture of what happened, when, and who was involved.

Trace what happened, where, and who was involved

In WithSecure Cloud Protection for Salesforce every file, link, or identity scan feeds into unified analytics inside Salesforce.

The Salesforce-native app supports multi-org environments, giving security teams visibility and consistent policy enforcement across all Salesforce instances.

Protection Status dashboards show detection trends and overall health at a glance.
Reports pivot by user, object, or threat type. Logs keep two years of event data and can export to a SIEM for broader analysis.

Security teams can trace incidents end to end, identify recurring attack sources, and refine policies with evidence.

Visibility closes the loop between detection, prevention and improvement. It is the critical factor that can turn a compliance nightmare around.

Figure 10: Protection Status dashboard summarizing detections across layers.

Enterprise-grade and audit-ready protection for Salesforce

WithSecure Cloud Protection for Salesforce brings enterprise-grade defense inside the platform itself.
It applies the same layered logic proven in modern endpoint protection – multi-engine detection, sandboxing, machine learning, and behavioral analysis – but runs inside Salesforce.

Unlike API-based or CASB security solutions, Cloud Protection operates within Salesforce’s own trust boundaries.

There are no external dashboards or delayed scans, and every inspection happens in real time, with minimized data traffic outside the platform.

WithSecure Cloud Protection for Salesforce is designed for organizations that live under scrutiny. Every detection, verdict, and policy action is logged and stored for 24 months, creating a verifiable audit trail of what happened, when, and how it was resolved.

That visibility gives compliance and risk teams the documentation they need for internal reviews, regulatory audits, and incident investigations – saving time, money and trouble.

It’s also built on independently verified controls.

Certified under ISAE 3000 Type 2 (European equivalent to SOC 2 Type 2) and ISO 27001, and aligned with frameworks like NIS2, DORA, and GDPR, Cloud Protection meets the same standards expected of enterprise and government-grade environments.

Options for controlled data residency – across the EU, US, Japan, Singapore, and Australia – keep analysis and logs within your chosen jurisdiction, satisfying both privacy and compliance requirements by design.

Already trusted by leading Fortune 500 enterprises and public-sector organizations, WithSecure Cloud Protection for Salesforce secures Salesforce environments of every scale – from regional deployments to multi-org global operations.

Figure 11: Admin view showing regional data-processing selection for Salesforce security.

Built for the threats of today — and what’s coming next

Salesforce now connects people, processes, and autonomous AI agents – and attackers are adapting just as quickly. WithSecure Cloud Protection for Salesforce evolves in step.

Identity Protection turns credential exposure – a prevalent attack vector – into an early warning.
The Agentforce extension adds real-time scanning for agent-driven use cases, keeping AI automation as secure as human action.

Our roadmap follows both the Salesforce platform and the threat landscape, with one goal: to protect every interaction in Salesforce.

When the protection layers work together

If Salesforce security “checkpoints” are overlooked, the effects tend to ripple.
One overlooked upload can spread malware across internal and external environments.
One stolen credential can open connected systems.
One missed alert can turn a contained incident into an operational outage.

When layered safeguards hold, nothing dramatic happens, and that’s the point.
Operations stay steady.
Customers never notice a thing since their experience stays smooth, secure, and uninterrupted.
Data stays untouched.
Users log in, work, and leave without friction.

It’s the digital equivalent of a secure operational base running on schedule, where lights are on, comms stable, mission intact. Everyone it serves never even notices the threats that were stopped.

That’s what layered protection inside Salesforce delivers: quiet continuity. As a Salesforce-native app, WithSecure Cloud Protection for Salesforce is available on AppExchange, and deployed within a short 30-minute session, where our technical experts walk you through the set-up.

Got questions? Want to see the solution in action? Book a quick demo from the form below.

For example, European ABN AMRO Insurances saw immediate impact and identified and quarantined their first threat quickly after deploying WithSecure Cloud Protection for Salesforce.

“Within an hour we were up and running — and the protection just works in the background.”
— Ralf van Hoorn, Salesforce Developer, ABN AMRO Insurances

In the meantime, for further reading:

• When Salesforce instances became the target: Salesforce cyber attacks in 2025
• Defense in depth: why security layers must live in Salesforce
• Attack kill chain in Salesforce and how to break it
• Full feature list

A normal upload. A breach in the making.

It starts with something routine.
A customer uploads a PDF.
A partner adds a link in a Case comment.
A contractor logs in with credentials reused from another service.

Nothing unusual, but minutes later, data starts moving through an authorized app via API.

That’s how modern Salesforce breaches begin.
Attackers don’t break in; they use what’s already open from portals to forms and trusted integrations.
They hide links behind QR codes, register look-alike domains, and act through legitimate accounts that no one suspects.

Salesforce is built for connection. It’s where customer data lives, deals close, and automation keeps the business running.
That same openness makes it a prime target.

Defending Salesforce starts with seeing every move inside the platform, starting from the first upload.

How a layered attack unfolds inside Salesforce

Attackers operate in sequences, not single actions.
Each move sets up the next, leading step by step toward their goal: persistence, data theft, or leverage for extortion.

Security teams often call this the attack kill chain: the sequence of stages an adversary moves through, from first access to final impact.

They don’t always start with a file with malware. Many begin by looking for entry points — a web form, an Experience Cloud portal, an email-to-case inbox, or stolen credentials that let them impersonate a user and gain valid access. Once an entry works, the chain begins.

Let’s look at how those attack chains form inside Salesforce, and how real-time detection can break them before damage hits.

When entry looks legitimate

It starts with a normal upload like an RFP response to an Experience Cloud portal, an invoice attached to an email-to-case, or a document submitted via web-to-lead.
Inside the PDF is a QR code. The QR code includes a short link. Scanning it opens a mobile browser that lands on a login form hosted on a newly registered domain.

Figure 1: Evasive attack tactics hide behind multiple layers.

Salesforce will store the file by default; the platform does not inspect every embedded QR or decode its destination URL. That gap is enough. A busy support agent scans the QR on their phone for convenience, signs in, and the attacker captures the credentials on their server. The attacker can then reuse those details to log in or create a connected app.

That’s a routine activity turned into a credential-harvesting event.

Figure 2. Fake Microsoft login pages used in credential-harvesting campaigns targeting Salesforce instances. The design is near-identical to the real service, the domain is newly registered.

When layers hide layers

A seemingly partner user adds a shortlink in a Case comment inside Experience Cloud.
At first glance, it looks harmless, just a link to shared documentation or a status page.
In reality, the shortlink expands to a redirector, which then points to a phishing site cloned from Salesforce’s own login page.

Because this link lives entirely inside Salesforce data, email filters never see it. No alarms.
Each redirect strips a layer of context — bit.ly to redirector to fake domain — all executed in a matter of moments when a user clicks.

By the time someone enters credentials, the attacker has the session and moves on to create persistence.

When access turns into persistence

After initial access, attackers often seek persistence. Let’s break down the common paths.

One, they log in with stolen credentials and create long-term access, for example by authorizing a connected app and obtaining refresh tokens.

Two, they use credentials directly to perform actions under a compromised account. That looks like normal user activity with API calls, exports, scheduled jobs. This makes it hard to spot with standard tools.

Both approaches let attackers move slowly and quietly. There may be no traditional malware and no anomaly to flag. The activity runs through legitimate and trusted processes.

In a 2025 campaign, phishers impersonated Salesforce support and used a cloned MFA page to capture username, password, and an MFA code. The attacker relayed those credentials to complete the login and generate session tokens. In the incident WithSecure Cloud Protection for Salesforce detected the phishing URL and blocked the page inside the portal before any token issuance could be abused for large-scale extraction.

Figure 3. Phishing link in a campaign impersonating Salesforce led to a cloned login and MFA page containing a small but telling typo; one of the subtle cues that give fake portals away.

When exfiltration looks like business as usual

At the final stage, the objective is simple: get the data out of Salesforce.
Attackers often do it through the same functions everyone else uses, like report exports, Data Loader jobs, or API syncs run through connected apps. Each of these looks like standard business activity, so there are no alarms ringing.

In several recent extortion cases, attackers stole Salesforce records including customer data, and used them for pressure campaigns. When victims refused to pay; their data later appeared on leak sites. Once an attacker reaches Salesforce data, they already hold leverage.

For defenders, that means two risks: operational downtime if systems are locked down, and reputational damage if customer data is exposed. Both are hard to recover from without clear visibility into what happened.

Incident response teams face a hard truth inside Salesforce: there’s limited telemetry and traditional forensics tools weren’t built for the platform.

Signals from the field – 2025

WithSecure telemetry recorded a 20-fold increase in detections per million scanned files between late 2024 and early 2025. 27 % of file-based threat detections were image files containing embedded QR codes. Based on the threat telemetry, there are on average 900 malicious URLs in a single Salesforce org.

Attackers are layering their tactics to hide malicious intent where traditional tools rarely look: QR codes hide links, new domains replace blocked ones, and trusted SaaS tools become the distribution channel.

The first sign of trouble is often a routine interaction inside Salesforce.

Breaking the chain from the inside

To stop a layered attack, detection has to look at the same layers.
That’s why WithSecure Cloud Protection for Salesforce, as a native Salesforce app, operates inside the Salesforce platform itself and inspects every file and link in real-time.

It detects zero-day malware, obfuscated quishing campaigns, and user credential compromises before the risk escalates, directly inside the Salesforce environment. It monitors credential risks of Salesforce community users – external users are a blindspot that traditional tools miss.

Let’s take a look how the attack chain is broken from progressing inside Salesforce.

Catching files at entry

Every file upload and download is scanned and analyzed in real time.
All established file types are unpacked and inspected for hidden malicious scripts – like malware and ransomware – or embedded URLs. Encrypted, password protected archives and files are blocked.
If a link points to a new or risky domain, it’s blocked before anyone clicks.

Behavioral analysis then looks deeper – not at what a file looks like or is called in file type, but what it tries to do.
Does it behave unlike an image file should?
Attempt encryption or script execution?

Suspicious behaviors trigger an instant block and alert.

Catching hidden phishing links

The solution also inspects links inside Salesforce in open text fields like records, comments, and uploaded files.

Links and QR codes are inspected for reputation and age, and thoroughly decoded.
URL Protection scans twice: once when content is posted, again when it’s clicked or interacted with. Agentforce actions also trigger the analysis process.

Same mechanism rescans files when users download them, ensuring new detections apply even after the file has been stored.

This double check catches delayed and time-bombed threats, which are a trick in targeted phishing.

Figure 4. WithSecure Cloud Protection for Salesforce detects and blocks malicious URLs like phishing links at the time of post and click to neutralize evasive threats.

Containing compromised user identities

Identity Protection capability in WithSecure Cloud Protection for Salesforce continuously monitors internal and community user accounts for exposure in third-party credential breaches.

It matches encrypted email addresses against verified breach feeds and flags compromised users directly inside Salesforce. Admins can then revoke sessions and force password resets before an attacker reuses those credentials.

This stops credential compromise from turning into long-term persistence and gives security teams a verifiable response trail when regulators request proof of action.

The capability leverages both public and dark web breach intel, detecting compromised credentials up to 6 months earlier than any open source tools.

Visibility for investigation and response

Every detection, every response, every interaction is logged.
Admins can review them in Salesforce reports and dashboards or export to SIEM for centralized analysis.
The audit trail stays complete for 24 months, giving both security and compliance teams full visibility.

Visibility helps incident response teams trace how a threat entered, what it touched, and how far it spread. This evidence is often missing in Salesforce environments, and speeds containment, supports collaboration with law enforcement, and gives forensic teams real context instead of speculation.

For most organizations, that level of evidence becomes the difference between days or weeks of uncertainty and hours to containment. Having a full audit trail inside Salesforce can turn a potential compliance mess into a documented response story.

Visibility builds prevention and also makes response possible.

Why layered detection matters

Attackers layer their methods to stay hidden.
Each link in the chain conceals the one before it, There is a phishing site hidden behind a shortlink, the shortlink is behind a QR code, a QR inside a document… The document might be spoofed to look like another file type even. Every layer removes a piece of context that defenders and superficial detection capabilities rely on.

Signature scans match known patterns. Evasive chains change patterns.

Layered detection connects the dots:
file analysis finds weaponized content;
URL and QR inspection expose malicious redirects and phishing domains;
identity protection reveals when valid credentials have been exposed in a breach.

Traditional and superficial security tools just flag the first anomaly, then lose sight of what happens next. Layered detection inside the platform keeps following the trail.

Why this matters now

Salesforce has become one of the most targeted business platforms in the enterprise stack.
Attackers know its data is rich, permissions are complex, and human error is inevitable.

Content-borne threat detections attacks grew 20× in the past year. These threats – from file-based malware to QR code phishing campaigns – exploit what the typical security stack doesn’t see, which is the activity inside SaaS environments.

In complex platforms like Salesforce, the breach doesn’t take a genius hack. They start with small oversights attackers are waiting for, like a reused password, too much access, human error, and a missed or missing alert.

Protecting Salesforce against today’s threats doesn’t mean removing all the complexity, but illuminating it.

Even the best defenses can’t promise perfection. We’ve seen this in the recent attacks, where a $1M security stack couldn’t stop a phone call and a fake app. When a breach does occur, what matters most is how fast you can understand it, contain it, mitigate the damage and prove what happened.

For further reading:

• When Salesforce instances became the target: Salesforce cyber attacks in 2025
• Defense in depth: why security layers must live in Salesforce
• Real-time threat protection for Salesforce in action

Every security team knows the phrase defense in depth. It’s the oldest security mantra in the book, and one of the least adapted to how business actually runs today.

It sounds solid: layers of protection so one failure doesn’t take you down. Firewalls. Endpoint protection. MFA. All good. All necessary. But limited. 

Too many organizations still treat Salesforce as “just a CRM,” not the operational backbone it has become. It’s the hub of data, operations, automation, and customer trust – yet its security is often handled as a checkbox audit exercise, split between teams that rarely talk. That mindset creates the perfect blind spot for attackers. 

In 2025, attacks often begin inside the tools we trust most. Salesforce is one of them. 

The illusion of layers 

Salesforce runs sales, service, portals, and now AI agents. It’s business critical and trusted – and a prime target because of it.

That trust creates blind spots. Network security can’t see inside Salesforce. Endpoint tools can’t scan what’s shared there. Email security filters never touch the files or links users exchange across the platform once there – even if they originated through email.  

So yes, the defense layers in the traditional model exist and are 100% valid – they just stop too early when looking at defending modern entry points like Salesforce. And that’s where attackers now operate. 

If your data and workflows live inside Salesforce, your defenses should too.

Why external layers like endpoint or email protection aren’t enough for Salesforce

Most organizations still treat email as the front line. It’s where phishing and malware start, and the entire security stack evolved around it. But Salesforce isn’t an inbox. It’s where customer data, automation, and integrations meet, and once a file or link enters this environment, endpoint or email controls can no longer see it.

Threats that enter through legitimate business channels built on Salesforce – such as support case details, or community portal processes – bypass traditional layers entirely. From there, malicious content or compromised identities can propagate across the platform, users and integrated systems unnoticed.

Endpoint protection (EPP) or email security solutions weren’t built for this. They secure what enters or leaves the perimeter, not what happens inside Salesforce.

The same layered model that has shaped email security – combining identity protection, content inspection, phishing protection and anomaly detection – has not yet been applied to Salesforce, even though it’s now a business-critical environment for data, customer trust and operations.

That’s the visibility and control gap a modern defense-in-depth strategy for Salesforce must close.

The lesson from email security is clear: layered protection works, but only when it lives where the data and interactions actually occur.

Salesforce needs its own layers 

Recent breaches prove it. The recent cascade of vishing and malicious Salesforce connected app breaches. Coinbase’s contractor compromise. The HELLCAT Jira attacks. Both began with valid credentials. Attackers didn’t break in; they logged in. 

Traditional defense-in-depth models focus on protecting systems and data. Attackers don’t think in layers, they just move through them as fast and as far towards their objective as they can. In Salesforce, that movement happens for example through people, files, unstructured data, and connected apps. Defenses need to follow the same path: seeing how threats enter, spread, and act, not just stop at the edge.

Inside Salesforce, modern defense in depth has four connected layers: identity, content, governance, and automation. Each reinforces the others.

These layers mirror the traditional defense-in-depth structure, with the first line of defense at Salesforce’s entry points (identity and content), followed by governance ensuring integrity within, and automation forming the intelligent core of business operations. 

This model reflects Salesforce’s shared responsibility for security. Platform configuration, governance and monitoring form the foundation; real-time threat protection complements them.

The identity layer – who’s logging in 

The identity layer forms Salesforce’s first line of defense by controlling who reaches the environment before any data or process interaction can occur.

Its weaknesses are well known but still underestimated: stolen or reused credentials, hijacked OAuth tokens, and unmanaged community or integration accounts that operate outside corporate identity controls.

Many organizations see credential compromise as yesterday’s problem, but it remains the number one initial attack vector according to Verizon.

Attackers most often exploit access and misconfiguration rather than Salesforce platform zero-days. Once they log in legitimately, every API, connected app, and automation trusting that account becomes part of the attack surface.

The least controlled identities often pose the greatest risk. Community, partner, and external contractor accounts frequently operate outside corporate IAM controls yet hold broad access permissions. They should be treated as first-class identities: rotate credentials, restrict scopes, and continuously monitor for breach exposure.

Examples:

– An employee’s Salesforce credentials leak in a third-party breach. Attackers use them and export customer data unnoticed.
– A partner reuses an old password from another system – that has been breached. Attackers use it to log into Salesforce submit fake orders and pivot into connected systems.
– An external contractor user is left active after a project ends. The same credentials are on sale on the dark-web. Attackers use these credentials to access data programmatically.

Identity protection in Salesforce is about seeing what’s normally invisible: who’s authenticating, how credentials are used, and where risk hides.

Identity Protection in WithSecure Cloud Protection for Salesforce continuously monitors internal, partner, and community accounts against advanced breach-intelligence feeds. It detects exposed credentials before attackers reuse them – and much before any open source tools know of the breach details.

A living identity-defense layer that detects and reacts before incidents spread deeper into the environment relies on multiple mechanisms designed to prevent the bypasses attackers most often exploit. This includes phishing-resistant MFA for high-privilege users, SSO when possible, use refresh-token rotation and short token lifetimes, require admin approval for connected apps and implement third-party credential compromise monitoring to prevent credential stuffing risks.

The content layer – what moves through Salesforce 

If identity is the gatekeeper, content protection is the guardrail. It inspects what enters Salesforce at the moment of upload, share, or click. This layer stops threats hidden in unstructured data before they spread and cause damage, for example data breaches or operational disruption.

Delivery often rides trusted workflows. Files, links, and QR codes move through Salesforce every day across chats, emails, records, cases, portals, and various workflows. That’s where malware and phishing hide. 

• A PDF attachment hides a phishing link. 

• A ZIP file in a workflow contains ransomware. 

• A QR code in a record leads to a fake login page. 

These threats bypass email and endpoint security because they never leave Salesforce. Just as email filters scan attachments before delivery, Salesforce needs native inspection at upload and interaction, because the attack surface targeting human users and human error has shifted from inboxes to platforms like Salesforce.

WithSecure telemetry shows a twenty-fold increase in malware and phishing detections between 2024 and 2025. 

File Protection and URL Protection in WIthSecure Cloud Protection for Salesforce keep this layer clean by scanning every file and link in real time. It stops threats where they appear – inside the platform itself. 
 

The platform & governance layer – how Salesforce is configured and controlled 

Misconfigurations and excessive permissions can be as damaging as malware.
This layer defines Salesforce’s security foundation — the policies, controls, and visibility that shape how the environment operates and evolves.

Salesforce security isn’t a set of isolated parts.
Identity, content, and governance intersect constantly:
who acts (identity), what they act on (content), and under what rules (governance).

This layer unites those elements by keeping access, data handling, and automation consistent, visible, and accountable.

Effective governance rests on three principles:

Integrity: Harden configurations, enforce least privilege, and keep permissions and integrations within intended boundaries.
Visibility: Continuously monitor changes, API connections, and unusual activity that signal misuse or drift.
Accountability: Maintain a clear audit trail of who changed what, when, and why. This enables compliance and rapid incident response.

Native tools like Salesforce Security Center, Health Check, Shield, and Event Monitoring support these principles by exposing configuration and activity data inside Salesforce.
Ecosystem tools such as AppOmni extend that visibility across third-party integrations and cross-cloud access.

Once attackers gain entry, their goal becomes persistence and hiding within trusted processes.
Governance shortens that dwell time by enforcing integrity, surfacing anomalies, and ensuring every configuration and connection is auditable.

When governance, identity, and content protection reinforce each other, Salesforce operates as a cohesive, trusted environment. Every action, human or automated, stays within defined and observable boundaries.

The automation layer at the core – where Salesforce intelligence comes to life 

AI and automation are now the heart of Salesforce, but at the same time its newest attack path.

At the core of Salesforce are the automations and autonomous AI workflows that drive modern business – from Flows to Agentforce. This is the Agentic AI–powered Salesforce environment: a living system where data, processes, and AI agents interact to execute work at speed and scale. 

As Salesforce embeds AI agents across every process, the attack surface now includes the workflows themselves. Salesforce’s emerging direction “Agentforce for Security” introduces agentic capabilities for automated detection, incident triage, and intelligent remediation. These innovations aim to help security teams respond faster and reduce the manual overhead of investigation and response. As Salesforce continues embedding AI agents across its ecosystem, the need to ensure these automations act on safe, trusted inputs only grows more critical. 

Automation is not part of the traditional defense in depth thinking, but in modern Salesforce environments automation is the business logic itself. It’s not just “a layer” but an amplifier for both productivity and potential risk.

• Automated Flows and AI agents directly execute actions that affect data and users.
• That means automation and especially autonomous AI can propagate malicious inputs (e.g., a poisoned file, fake record, or compromised user action) at machine speed.

That’s where layered defense plays a defining role. When data is secure, and configurations are consistent, automation can operate safely and predictably. Without those guardrails, AI agents and automated workflows can quickly amplify mistakes, or act on malicious inputs. 

Defense in depth must now extend into automation, because automation acts with the same privileges as humans in the attack path, only faster. When every layer reinforces the next, both human and AI-driven actions inside Salesforce remain trustworthy and resilient. 

Visibility that leads to action

When each layer feeds visibility back into the next, you not only prevent attacks, you learn from them. That’s how depth becomes intelligence.

Every defense layer in Salesforce is connected by a visibility loop that turns detections into prevention, and prevention into ongoing improvement. Visibility in Salesforce is not just adding more dashboards.

Having this overarching visibility means exposures are caught before they become incidents and attacks are blocked before they cause damage (and tracked swiftly if something has slipped through). Patterns of malicious activity or misuse feed directly into stronger governance.

Visibility isn’t an extra layer but something that connects everything. It helps improve every layer continuously with each event.

• User risk: detect → reset
• Content risk: scan → block
• Platform risk: monitor → fix

When each action is logged and traceable, you have provable control, compliance-readiness, and stronger prevention against incidents.

Salesforce has become one of the most targeted and valuable operational systems in any enterprise. Prioritizing its detections and exposures delivers disproportionate risk reduction.

The new meaning of depth 

In Salesforce, layers don’t sit neatly on top of each other, they intersect.

In practice, defense in depth inside Salesforce results in clearer sight and faster action. Visibility turns detections into decisions, and decisions into effective prevention.

Salesforce security needs layers that look inward – at the users, the content, and the automation driving your business every day. 

Innovation isn’t optional anymore. Agentic AI isn’t a “maybe”, it’s a “when.” Securing it can’t wait for maturity or readiness. Salesforce found that 79% of IT leaders believe that defenses are falling behind AI-driven cyber threats. IBM found that 97 % of AI-related breaches involved systems with no proper access controls. The timing for security isn’t later – it’s day one. 

If you run Salesforce, don’t ask how tall your walls are. Ask how deep your defenses go.

WithSecure Cloud Protection for Salesforce offers layered defense

Defense in depth in Salesforce only works when each layer reinforces the others, and when those layers live where the risks occur. WithSecure Cloud Protection for Salesforce puts this layered model into practice – in Salesforce, in real time.

File and URL Protection
Scans every file and link at upload, download, and interaction. It stops sophisticated malware, ransomware, and phishing from entering Salesforce through various channels.

Identity Protection
Detects compromised user credentials before they’re exploited. Continuously monitors internal and community accounts against the latest breach intelligence, providing early warnings.

Visibility & Analytics
Delivers deep insight into detections and user risk. It complements built-in platform tools like Salesforce Shield and Event Monitoring.

Together, these capabilities form multi-layered defense for the AI-powered Salesforce environment including Agentforce. They protect against malware, phishing, and identity threats without slowing down the business.