Analysis of detection telemetry from WithSecure Cloud Protection for Salesforce (CPSF), alongside publicly reported incidents, highlights a clear shift in how attacks unfold. The majority of malicious activity observed during 2025 in CPSF detection telemetry was delivered through URLs, embedded links, and QR code-based interactions that blended into routine business processes such as document sharing, policy updates, payment notifications, and account verification requests.
Adversary-in-the-middle phishing kits captured session tokens and MFA challenges in real time. These techniques operate within trusted workflows rather than relying on direct exploitation, making them difficult to distinguish from legitimate activity.
Publicly reported campaigns further illustrate how legitimate access paths are increasingly abused. OAuth token theft enabled long-lived access without passwords. Supply-chain compromises of trusted Salesforce integrations expanded blast radius across multiple organizations. In parallel, extortion-driven actors publicly referenced Salesforce data in leak-site activity, reinforcing its perceived value as leverage, even where claims were exaggerated or unverified.
These patterns point to a fundamental shift in risk. Identity, automation, integrations, and content are now tightly interconnected, forming expanding trust surfaces within Salesforce environments. Salesforce increasingly functions as a trust hub, where human users, non-human identities, automated processes, and data flows interact continuously. As automation, agent-driven execution, and AI-assisted workflows expand, attackers gain more opportunities to exploit delegated access and long-lived trust relationships.
Preparing for 2026 and beyond requires organizations to treat Salesforce security as an ecosystem-level challenge rather than a point-control problem. Effective defence depends on maintaining visibility into how identities, integrations, automation, and content interact over time, and on detecting misuse within trusted workflows. WithSecure Cloud Protection for Salesforce supports this need by extending detection and visibility across URLs, files, QR code-based interactions, identities, and integrations, surfacing malicious activity that would otherwise blend into normal business operations.
Organizations that align governance, detection, and response across these expanding trust relationships will be better positioned to manage risk as both Salesforce capabilities and attacker tactics continue to evolve.
