WithSecure Cloud Protection for Salesforce evolves in step with both the threat landscape and the Salesforce platform. Apollo 2.9.1 strengthens defenses against advanced phishing attacks by detecting even obfuscated QR codes hidden in everyday business files — protecting users on both managed and unmanaged devices.
What’s new in Apollo 2.9.1:
- Detect malicious QR codes in uploaded PDFs and Office files
- Analyze shortened URLs (e.g. bit.ly, tinyurl) hidden inside QR codes
- Block QR phishing threats even when scanned on unmanaged devices
- Mitigates a Salesforce platform issue that can create unintended ContentDocumentLink (CDL) records when files are uploaded by Guest Users
- See all updates and fixes in the release notes
Note for the future: Apollo 2.9 is required for activating upcoming Agentforce security extension
Defense against QR code and redirect-based phishing
QR codes in Salesforce look harmless. Until they aren’t.
Cybercriminals are increasingly turning to QR codes to deliver phishing links in a way that bypasses traditional security layers. Known as quishing, these attacks embed malicious links inside QR codes, which are then placed into everyday business documents like PDFs, invoices, or slide decks.
When scanned – often on unmanaged mobile devices – the user is silently redirected to a phishing site designed to steal credentials or install malware. Because the destination is hidden inside a code, traditional file and link scanners often miss it.
Innovation inspired by real-world attacks
When one of our large customers faced a wave of QR-based phishing attempts in 2024, existing defenses weren’t catching them. Within months, we built the first Salesforce-native QR phishing detection engine.
Now, with Apollo 2.9.1, we’ve expanded it further to eliminate even more stealthy, layered QR-based threats. We’ve added the ability to detect malicious QR codes in PDF and Office files, and even malicious shortened URLs hidden inside QR codes.
This protection works across both internal and external workflows, and helps reduce phishing success rates, especially in environments with bring-your-own-device (BYOD) policies.
We’ve detected malicious QR codes in high volumes across Salesforce environments in 2025, making QR code detection a key player in protecting your platform.
What’s new in Apollo 2.9.1:
- Detects malicious QR codes embedded in uploaded PDFs and Office files
- Unwraps shortened URLs (bit.ly, tinyurl, etc.) hidden within QR codes
Why it matters:
- Blocks phishing attacks others miss – even on unmanaged mobile devices
- Protects internal and external users before threats reach them
- Reduces manual investigation and security workload
Got Guest Users? Action is required
Salesforce recently introduced a platform change that impacts how files uploaded by Guest Users are handled. This can result in additional CDL records being created.
Apollo 2.9 includes updates to mitigate this behavior. For remediation, please contact your Customer Success Manager.
We strongly recommend all customers update to Apollo 2.9 — especially those leveraging Guest Users.
Upgrade timeline
- Sandbox environments: starting September 17th, 2025
- Production environments: starting October 1st, 2025
You can also update manually anytime via Salesforce AppExchange.
What’s next on the horizon?
The way businesses use Salesforce is changing fast — and so are the threats targeting it.
With Agentforce, AI agents are beginning to take on customer interactions, surface data, and drive business decisions. As these capabilities expand into file handling and cross-object automations, the security requirements will grow with them.
That’s why we’re building protection in parallel with Salesforce’s roadmap. The upcoming Agentforce extension will provide native, real-time security for agent-driven workflows — starting with URL scanning, and expanding to cover agent behaviors, connected app actions, and layered file protection. This isn’t a static add-on, but a security foundation for everything your AI agents may do next.
At the same time, we know platform evolution is only one part of the equation.
The threat landscape is seeing escalating Salesforce breaches, and threats from credential compromise to QR code phishing to malicious files embedded in collaborative workflows. Our roadmap doesn’t just follow Salesforce; it tracks attacker behavior across the ecosystem.
That’s why we’re advancing real-time defenses that adapt as attackers do, and investing in identity protection to surface early signs of credential compromise before damage spreads. Our goal is simple: protect every action in Salesforce, whether taken by a human or an agent.
Important: The Agentforce extension will require Apollo 2.9.1 or later. Upgrading now ensures your environment is ready to activate Agentforce protection as soon as it becomes available.
