WithSecure™ Cloud Protection for Salesforce
Your Salesforce is now the front door for financial service attacks
Salesforce now sits at the center of how your firm engages clients, processes applications, and manages portfolios. That’s why attackers are targeting it.
They don’t need to breach your perimeter. They walk in through the content your customers and partners already send you: a PDF attached to a loan application, a link inside a wealth client portal message, a QR code submitted with an insurance claim. The attack surface has moved inside your most trusted workflows, and Salesforce wasn’t built to inspect what flows through it.
Three major US insurers breached through Salesforce in 2025. What’s protecting yours?
Financial firms now have to prove control over customer data, third parties, record retention, incident response, and regulatory reporting. Your Salesforce environment touches all of them, and most security stacks don’t reach inside it.
700%
increase in malicious Salesforce activity in 2025
98%
of all detected threats are URL-based
39%
of all impacted organizations US-based
Get the Salesforce Threat Landscape Report 2026
Our 2026 Salesforce Threat Landscape, and the numbers within it, proves that financial firms cannot afford to assume the platform protects them.
Trusted by financial enterprises worldwide
Rolls-Royce & Partners Finance
“We know all files and links accessed by users are scanned for threats immediately and are safe. This achieves both compliance and peace of mind.”
Rolls-Royce & Partners Finance
ABN AMRO Insurances
“When we just started using WithSecure, we already had one file that was put into quarantine, which actually contained a virus.”
Roel van de Donk, Lead Product Owner
AXA Group Operations
“WithSecure Cloud Protection’s solution runs quietly in the background. It doesn’t get in the way, but it gives us the assurance that everything passing through Salesforce is safe.”
Xavier Léon, Head of Reinsurance Business Applications
What it looks like
when Salesforce becomes the breach
Throughout 2025, attackers used social engineering, not perimeter exploits, to compromise some of the most heavily regulated firms in the US. The common thread: Salesforce.
Allianz Life
Disclosed July 2025. Roughly 1.4–1.5 million US customer records exposed, with threat actors claiming to have leaked 2.8 million in total.
TransUnion
Disclosed July 30, 2025. More than 4.4 million Americans’ sensitive data taken from a targeted Salesforce database.
Farmers Insurance
Disclosed May 2025. 1.1 million customers affected. Attackers used voice phishing to socially engineer support staff.
Salesforce-native security has blind spots
Dangerous misconceptions
There’s a dangerous misconception within the financial services industry that Salesforce’s native security features alone are enough to protect sensitive customer data. The truth is they are not – and attackers know it.
Limited Salesforce capabilities
No real-time file scanning. No URL inspection. No detection of compromised credentials. OAuth token abuse goes undetected, and guest-user portal misconfigurations stay invisible.
URL-based attacks
98% of Salesforce threats now arrive as a URL, embedded in cases, chats, attachments, and portal messages. Built-in controls weren’t designed to follow them.
Where attackers enter your trusted Salesforce workflows
These aren’t hypothetical. They’re the everyday workflows your teams already trust:
- Loan and mortgage applications. Customers upload supporting documents straight into Salesforce. Any one of those files could carry malware.
- Insurance claims processing. Attachments arrive from policyholders and third-party adjusters with no content inspection in place.
- Wealth management client portals. Clients share sensitive files and exchange links inside Salesforce communities, with no URL scanning.
- Customer support cases and chats. Agents open attachments and click links submitted by customers, with no way to know they’re safe.
- Partner and advisor submissions. External advisors and intermediaries upload documents directly into your Salesforce org, bypassing your endpoint security entirely.
- Agentforce processing customer content. AI agents on Agentforce read and act on customer-submitted content in real time. Salesforce gives them no native inspection of what that content contains.
The missing security layer for modern Salesforce threats
Stop malicious files, URL-based attacks, identity abuse, and AI-agent risks in real-time — before they disrupt your business continuity. Trusted by Fortune 500 companies and governments around the world.
Malware protection
Stop malicious files
URL protection
Stop malicious links
Identity protection
Protect your Salesforce users
Protection for Agentforce
Protect your AI agents
QR code protection
Stop QR code threats
How we close your Salesforce compliance gap
Regulations require you to protect customer data, detect and report incidents, and demonstrate control over third-party risk. What they don’t spell out is that your Salesforce environment is one of the biggest gaps in that compliance picture.
Here’s how the requirements map to Salesforce-specific risks, and what Cloud Protection does about each one.
United States
SEC Reg S-P
Requirement:
Maintain a written incident-response programme and notify affected individuals within 30 days of an unauthorised access event involving sensitive customer information.
Salesforce risk:
Customer-submitted files and links flowing through Salesforce workflows can introduce malicious content or phishing threats that may not be adequately inspected, correlated, or escalated into incident-response workflows.
How we help:
Provides real-time detection and audit visibility for malicious files and URLs inside Salesforce workflows, helping security teams investigate incidents and support reporting and notification processes.
NYDFS Part 500
Requirement:
Conduct risk assessments, enforce MFA for access to systems holding nonpublic information (including cloud applications), and maintain policies for third-party service providers.
Salesforce risk:
Compromised Salesforce credentials and OAuth token abuse are invisible to native security controls. Files and links entering via customer and partner portals are uninspected.
How we help:
Identity Protection detects compromised accounts and unusual access patterns in real time. File and URL scanning inspects all content arriving from third parties before it reaches your teams.
GLBA/FTC Safeguards
Requirement:
Protect the security and confidentiality of customer information and ensure service providers do the same.
Salesforce risk:
Customer data processed within Salesforce workflows — including content submitted by customers and partners — is not inspected for threats that could result in unauthorised access or disclosure.
How we help:
Adds the content inspection layer required for any system processing nonpublic customer data, with controls that extend to all files and URLs flowing through Salesforce.
Canada
OSFI B-13/B-10
Requirement:
Technology and cyber risk controls proportionate to the sensitivity of information held, with third-party risk oversight and incident reporting within 24 hours.
Salesforce risk:
Files and links submitted by third parties through Salesforce receive no native inspection. Incidents originating from Salesforce content may go entirely undetected without dedicated tooling.
How we help:
Provides the detection and audit capability needed to meet B-13 control requirements and support OSFI’s incident-reporting timelines.
Australia
APRA CPS 234
Requirement:
Implement information-security controls commensurate with the criticality and sensitivity of assets, and notify APRA of material incidents.
Salesforce risk:
Customer-submitted content flowing through Salesforce is a critical information asset with no native inspection controls, making it difficult to demonstrate compliance with CPS 234 expectations.
How we help:
Brings Salesforce content handling in line with CPS 234 control requirements and provides the visibility needed to identify and report material incidents.
Europe
GDPR
Requirement:
Protect EU residents’ personal data and notify supervisory authorities of breaches within 72 hours.
Salesforce risk:
A malicious file or link submitted through a Salesforce customer portal could lead to unauthorised access to personal data, triggering notification obligations — with no native alerting to tell you it happened.
How we help:
Real-time threat detection inside Salesforce means you know immediately when a threat has been blocked or when action is needed, giving your team the visibility required to assess notification obligations accurately.
DORA
Requirement – Manage ICT risk, ensure operational resilience, oversee third-party technology providers, and report major incidents within prescribed timeframes.
Salesforce risk:
For most EU financial entities, Salesforce is a critical ICT system. Content entering via customers and third parties represents an uninspected ICT risk channel that most organisations have not formally addressed.
How we help:
Helps reduce ICT risk within Salesforce workflows, supports third-party risk obligations by inspecting partner-submitted content, and provides the incident-detection capability that DORA’s reporting requirements depend on.
For more about DORA compliance, see our blog on the subject
We are committed to high compliance
We provide all the necessary certificates and information to reassure you and your stakeholders. Find more details in our Trust Center.
ISAE 3000 Type 2
WithSecure™ Cloud Protection for Salesforce has ISAE 3000 Type 2 (international equivalent of SOC2 Type 2) assurance report, ensuring your data is managed securely,
ISO 27001
WithSecure™ is ISO 27001 certified, validating our rigorous data security practices. This prestigious certification confirms our adherence to the highest information standards.
EU GDPR
WithSecure™ helps organizations adhere to General Data Protection Regulation (GDPR) requirements, ensuring the secure handling of European citizens’ personal data.
SecurityScoreCard
WithSecure™ holds the highest cyber security vendor ranking from SecurityScoreCard, which evaluates companies on 10 key security factors, including remediation speed and risk mitigation.
Get a Free Demo
THE #1 SALESFORCE MALWARE PROTECTION SOLUTION
Fill the form and get:
Free 15-day trial – test the product without limitations
Real attack simulation and product demo
Free customized and actionable risk assessment
