What’s new in WithSecure Cloud Protection for Salesforce 3.0

The most expensive breaches don’t start with zero-day exploits — they start with trusted access

According to the IBM Cost of a Data Breach 2025 Report, breaches caused by stolen or compromised credentials are the most expensive of all, and taking the longest of all breach types to detect and contain.

In Salesforce, that silent risk amplifies. Community users, such as partner and contractor accounts, often sit outside corporate IAM controls, making them invisible to traditional defenses.

And when a password leaks, attackers don’t have to break in. Stolen credentials don’t trip alarms, they open doors.

Modern breaches don’t stop at the first login. Attackers move identity to identity: using one compromised account for impersonation and tricking others, authorize connected apps, or expand access through trusted automations. Detecting exposure early prevents this lateral movement before it reaches deeper systems.

Preventing the first compromised login is preventing the first step of a breach.

A new layer of protection for identities – inside Salesforce

We’re introducing Identity Protection in WithSecure Cloud Protection for Salesforce: first-of-its-kind capability that detects when your Salesforce users’ credentials appear in real-world data breaches, before attackers can exploit them.

The WithSecure Cloud Protection for Salesforce solution has already protected enterprise and government Salesforce environments from malware and phishing threats – now it also covers identity risks. The solution gives teams comprehensive visibility into who is at risk, what they access, what is the threat, how has it spread, how severe is the risk and when exposure occurs – all inside Salesforce.

Why it matters

Stolen credentials remain the top cause of breaches. In Salesforce, the problem is amplified by credential reuse and third-party user access. A leaked password from an unrelated breach can give an attacker direct, trusted access to your customer data and business workflows.

• Credential compromise remains the top attack vector.
  It has been the leading cause of breaches for the past decade and remains so in 2025. It’s also the most costly and the slowest to detect.
• Salesforce multiplies the blast radius.
  External users – partners, contractors, community members – often authenticate from outside SSO or MFA enforcement. In Salesforce, the problem is amplified by credential reuse across services. This is the first step of an identity chain. Once an attacker logs in as a trusted user, every connected system, user and workflow becomes a potential next move.
• Traditional IAM tools can’t see inside Salesforce.
  Once a compromised user logs in, standard security stacks generate no alerts.
• Layered defenses must live inside Salesforce.
  Identity Protection complements File Protection and URL Protection capabilities by defending against the most prevalent cyber threats directly inside Salesforce – where the business but also the risk happens.

Identity security in the rapidly scaling and evolving Salesforce environment can’t rely on traditional IAM tools alone, it needs real-time breach intelligence built directly into Salesforce.

When a user’s password is exposed in a breach, attackers don’t have to break in, they simply log in. This provides no alerts to standard tools, and gives the attackers plenty of time to cause damage silently.

Identity Protection in WithSecure Cloud Protection for Salesforce cuts the chain at its starting point, giving defenders visibility into exposed accounts before attackers can exfiltrate data or pivot laterally across users, workflows, or connected apps.

How Identity Protection works

Identity Protection scans the email identities of active Salesforce users against a continuously updated breach-intelligence feed that includes both public and exclusive dark-web sources.

• Detection: Identifies exposed credentials up to six months faster than open-source datasets.
• Results: Each detection includes breach source, publish date, password format (plain text or hashed), severity level, and exposure history.
• Scope: Up to 50 000 standard and community users per org. Integration and automation users excluded.
• Cadence: Automated / scheduled weekly batch scans
• Admin view: The Identity Protection dashboard shows all exposed users, ranked by severity and breach recency, with 12 month history of an user.
• Integration: Requires Connected App integration, fully embedded within the Salesforce UI.

Identity Protection requires no separate add-ons, or external integration beyond the connected app integration type already available for the app. Please note that this capability is compatible with user-based licenses, and requires the version Apollo 3.0 to be installed.
There is no additional cost for using the feature.

Example scenario: when a contractor account becomes the attack path

A partner’s login credentials surface in a new breach dataset. Identity Protection flags the user and reveals that the password was leaked in plain text from a known service.

Within minutes, administrators can reset the credentials, revoke sessions, and review related activity. They’re effectively preventing unauthorized access – and the first steps of a breach – before data exfiltration or fraud occurs.

Without detection, the attackers could have acquired the credentials from the dark-web forum, tested them against different services (most people reuse passwords across services, and across professional and personal accounts) until they got into one, for example a Salesforce environment. Depending on the environment and the user account in question, they could have exfiltrated data, manipulated business processes, or launched convincing impersonated phishing campaigns.

Detecting and revoking compromised credentials is the first step to stop a breach.

Identity Protection in practice

Setup & scheduling

Enable Identity Protection from the Administration tab, and choose whether to scan all users or a select subset.

Set weekly scan day and time. Notifications appear when jobs start and complete.

Alerts & notifications

In-app alerts notify of newly exposed users and configuration events.

Breach details like severity, reason, and source show whether the alert stems from a feature, license, or actual breach.

Identity dashboard & analytics

The identities section lists users ranked by severity and recency.

Breach history shows each user’s timeline of exposures across months.

Breach details provides detailed metadata for source type, record count, and confidence rating.

Identity events are logged alongside file and URL detections for correlation and compliance.

As the end result admins see who was exposed, when it happened, and how severe it is without leaving Salesforce.

Available today in Apollo 3.0

Identity Protection is included by default in all user-based WithSecure Cloud Protection for Salesforce licenses at no extra cost (volume-based licensing not currently supported).

Update manually from the Salesforce AppExchange to Apollo 3.0 and activate Identity Protection from Administration → Identity Protection to get started.

Together with File and URL Protection, Identity Protection broadens security coverage across Salesforce to protecting who logs in and what they bring in across workflows.

Identifying high-risk files in Salesforce

Attackers have increasingly turned to password-protected files to conceal malware and evade inspection. These files cannot be scanned by standard antivirus engines, creating a potential blind spot in even the most mature security programs.

In the Orion 2.6 release, we introduced detection and removal of password-protected archive files, helping organizations prevent hidden malware from entering Salesforce.

With the Apollo 3.0 release, this capability now also covers Microsoft Office and PDF file formats, and evolves into a broader high risk content detection capability.

Customizable, granular protection for uploads and downloads

Administrators can now more granularly configure how WithSecure Cloud Protection for Salesforce handles password-protected or otherwise high-risk files at both upload and download events:

• On upload: choose between Allow and Report or Remove
• On download: choose between Allow and Report, Remove, or Block

A new High-Risk Content modal under File Protection Settings centralizes these options, letting administrators customize protection levels to business and compliance requirements.

When a file is removed, the solution automatically replaces it with a placeholder text file explaining the action taken and preserves user experience and audit transparency. All related alerts and events are logged in the Analytics section for review.

It is worth checking security configurations regularly. For File Protection feature, we recommend following these best practice settings.

Enhanced visibility and risk control

This enhancement enables organizations to:

• Detect password-protected Office, PDF, and archive files during both upload and download
• Prevent unscannable files from being stored or shared within Salesforce
• Apply consistent, policy-based controls to high-risk content
• Maintain full audit visibility for incident response and compliance

The feature requires both Advanced Threat Analysis and the Connected App to be enabled, ensuring detection accuracy and reporting integration across the app’s analytics and alerting framework.

What’s next on the horizon

Identity risks – as one of the top initial attack vectors – matter as much as malware or phishing threats.

With Identity Protection, WithSecure Cloud Protection for Salesforce evolves beyond content and phishing defense to protect the people and accounts operating inside Salesforce. It’s another protection layer in our mission to secure Salesforce in real time from modern cyber threats.

As Salesforce use is shifting to autonomous AI use cases, we’re extending real-time protection to Agentforce.

Looking ahead, our focus is clear:

• Platform evolution: as Salesforce continues to connect users, agents, and data, we’ll extend protection in parallel.
• Threat evolution: from phishing and QR codes to credential compromise and supply-chain abuse, our defenses will adapt to how attackers operate.

And our goal stays simple:
Protect every interaction in Salesforce: every file, every link, every user, and every agent.