WithSecure™ Cloud Protection for Salesforce
Your security stack ends where Salesforce begins
Technology companies run some of the most mature security programs in the world. The tooling is sophisticated, the teams are capable. But there is a gap that none of it was built to cover.
Salesforce sits at the center of your commercial operations, holding product-usage signals, pricing data, support-case correspondence, partner deal registrations, customer logs, and quote-to-cash records. Attackers in 2025 found that the fastest way to reach all of it was not through your perimeter. It was through the trusted integrations and OAuth tokens already connected to your Salesforce environment.
The most damaging attacks of 2025 didn’t touch your perimeter. They abused what was already trusted. Is your Salesforce environment one of them?
The dominant attack pattern in technology-sector Salesforce breaches is not brute force or phishing against your staff. It is the abuse of legitimate access to systematically export data without triggering a single alert. Think OAuth tokens from connected integrations, misconfigured partner portal permissions, and credentials harvested from support-case workflows.
700%
increase in malicious Salesforce activity in 2025
98%
of all detected threats are URL-based
39%
of all impacted organizations US-based
Get the Salesforce Threat Landscape Report 2026
Our 2026 Salesforce Threat Landscape, and the numbers within it, proves that technology firms cannot afford to assume the platform protects them.
Trusted by enterprises worldwide
Rolls-Royce & Partners Finance
“We know all files and links accessed by users are scanned for threats immediately and are safe. This achieves both compliance and peace of mind.”
Rolls-Royce & Partners Finance
ABN AMRO Insurances
“When we just started using WithSecure, we already had one file that was put into quarantine, which actually contained a virus.”
Roel van de Donk, Lead Product Owner
AXA Group Operations
“WithSecure Cloud Protection’s solution runs quietly in the background. It doesn’t get in the way, but it gives us the assurance that everything passing through Salesforce is safe.”
Xavier Léon, Head of Reinsurance Business Applications
Technology companies with world-class security are still being breached
The Salesloft Drift supply chain campaign of 2025 is the clearest example of what the technology sector faces. It was not a brute-force attack. It was a methodical, trusted-access operation that worked precisely because of how well Salesforce integrations are trusted.
Salesloft Drift supply chain campaign (2025)
Exploited a compromise in the Salesloft Drift integration to abuse OAuth tokens across Salesforce instances at technology companies that had connected the integration.
What was taken
A single Salesforce environment in the technology sector can hold product-usage signals, subscription and pricing data, support-case correspondence, customer logs, tenant attributes, partner deal registrations, and quote-to-cash records. This is what the attackers systematically targeted.
Why existing controls missed it
The attack used trusted integrations, misconfigured permissions, and unmonitored OAuth access patterns. None of the security controls that technology companies invest heavily were positioned inside Salesforce, where the access and exfiltration happened.
The gap in your security architecture has a specific shape
OAuth and integration sprawl
The average technology company connects dozens of tools to Salesforce. Each OAuth connection is a potential attack surface. If any one of those integrations is compromised, the attacker inherits its Salesforce permissions. There is no native tooling to monitor or restrict what those tokens do once connected.
Support cases as a credential mine
Technology sector support cases routinely contain API keys, authentication tokens, log files, and configuration data shared by customers trying to diagnose issues. This content sits in Salesforce with no content inspection, no redaction, and no alerting. Attackers with access to support workflows can harvest this material systematically.
Partner portals with no content inspection
ISVs, resellers, implementation partners, and system integrators interact with your Salesforce environment through partner portals. They upload files, share links, and submit content directly into your workflows. None of it is inspected. A compromised partner account, or a malicious file submitted by a third party, enters your environment through a channel your security stack treats as trusted.
Where attackers enter your trusted Salesforce workflows
These aren’t hypothetical. They’re the everyday workflows your teams already trust:
- Sales and revenue workflows. Customer-submitted documents, pricing attachments, and proposal files move through Salesforce constantly. Files uploaded by prospects and customers arrive without content inspection.
- Support-case correspondence. Customers share logs, configuration files, and diagnostic data in Salesforce cases. API keys, credentials, and sensitive customer data sit in case attachments with no scanning and no redaction.
- Partner and reseller portals. Third-party partners upload deal registrations, contracts, and technical documentation directly into your Salesforce org. A compromised partner account or malicious file bypasses endpoint controls entirely.
- Customer self-service and community sites. Customers submit content through Experience Cloud portals with no URL inspection or file scanning. Phishing links and malicious attachments enter via channels treated as trusted by default.
- Quote-to-cash and commercial workflows. Subscription data, pricing information, and commercial intelligence are concentrated in Salesforce workflows that are high-value targets for competitive exfiltration.
- Connected integrations and OAuth applications. Every connected app carries Salesforce permissions that persist until explicitly revoked. Token abuse is silent, looks like legitimate access, and leaves no alert in your existing security tooling.
- Agentforce processing customer content. Where AI agents handle customer-submitted content in real time, they act on whatever they receive. There is no native inspection of what that content contains — including prompt injection payloads designed to manipulate agent behavior.
The missing security layer for modern Salesforce threats
Stop malicious files, URL-based attacks, identity abuse, and AI-agent risks in real-time — before they disrupt your business continuity. Trusted by Fortune 500 companies and governments around the world.
Malware protection
Stop malicious files
URL protection
Stop malicious links
Identity protection
Protect your Salesforce users
Protection for Agentforce
Protect your AI agents
QR code protection
Stop QR code threats
Notification windows are tight. The reputational cost is immediate
For a technology company, the fallout from a Salesforce breach is not just regulatory. It is customer trust, partner confidence, and competitive exposure, all at once. The UNC6395 campaign demonstrated that when the breach becomes public, the disclosure timeline, the scope of data affected, and the controls that were or were not in place all become part of the story.
Here is how the regulatory picture maps to the specific Salesforce risks technology companies face.
United States
SEC Cybersecurity Disclosure Rules
Requirement: Public companies must disclose material cybersecurity incidents within four business days of determining materiality, and provide annual disclosure of cybersecurity risk management, strategy, and governance.
Salesforce risk: A Salesforce breach involving commercial data, customer records, or partner information could quickly reach the materiality threshold. OAuth token abuse and integration compromises — the dominant technology-sector attack vectors — may not be detected by existing controls, delaying both the determination of materiality and the ability to scope the incident accurately.
How we help: Provides the real-time detection and audit visibility required to determine incident scope quickly, supporting the materiality assessment process and the four-day disclosure window.
FedRAMP (for technology companies selling to the US federal government)
Requirement: Technology companies with federal customers must maintain FedRAMP-aligned security controls, including continuous monitoring, incident response, and supply chain risk management for cloud services.
Salesforce risk: Salesforce workflows handling federal customer data, support cases, or partner integrations sit outside most FedRAMP-aligned architectures. Content entering via these channels is uninspected and unmonitored.
How we help: Adds the content inspection and continuous monitoring capability required to bring Salesforce workflows inside the scope of FedRAMP control requirements.
European Union
NIS2 Directive
Requirement: NIS2 reaches digital infrastructure and ICT service management providers, requiring proportionate risk management measures, supply chain security controls, and incident reporting within 24 hours of detection.
Salesforce risk: For technology companies in scope, Salesforce is a critical business system and a supply chain risk vector. The UNC6395 campaign demonstrated exactly how a compromised integration can become a supply chain incident affecting multiple organisations simultaneously. Most technology companies have not formally addressed this under NIS2.
How we help: Reduces supply chain ICT risk by inspecting content from connected integrations and third parties, and provides the detection capability that NIS2’s 24-hour reporting requirement depends on.
GDPR
Requirement: Technology companies processing EU personal data must protect it against unauthorised access and notify supervisory authorities of breaches within 72 hours.
Salesforce risk: Customer records, support-case content, and partner data in Salesforce often contain EU personal data. A breach via OAuth token abuse or a compromised integration may expose this data without any native alerting — and with no way to scope the affected records quickly.
How we help: Real-time threat detection inside Salesforce means you know immediately when unauthorised access has occurred or been blocked, giving your team the visibility needed to meet the 72-hour GDPR notification window.
Australia
Privacy Act 1988 / Notifiable Data Breaches Scheme (NDB)
Requirement: Technology companies operating in Australia and holding personal information must notify the OAIC and affected individuals of eligible data breaches as soon as practicable. IRAP assessments apply to technology companies supplying cloud services to government.
Salesforce risk: Personal data and customer records held in Salesforce are in scope for the Notifiable Data Breaches scheme. A breach via Salesforce workflows — particularly one involving OAuth token abuse — may be difficult to scope and attribute without dedicated Salesforce monitoring.
How we help: Provides the detection and audit capability needed to identify eligible data breaches within Salesforce, scope the affected records, and support timely notification to the OAIC.
United Kingdom
UK GDPR / NCSC Cyber Assessment Framework (CAF)
Requirement: Technology companies processing UK personal data must report breaches to the ICO within 72 hours. CNI-adjacent technology providers may also be assessed against the NCSC CAF, which requires proportionate security controls and supply chain risk management.
Salesforce risk: UK customer data in Salesforce — including support-case content and partner records — is in scope for UK GDPR breach notification. The supply chain risk vector demonstrated by UNC6395 is directly relevant to CAF’s supply chain requirements.
How we help: Closes the Salesforce security gap for UK GDPR compliance and supports supply chain risk management obligations under the CAF by inspecting content from connected integrations and third parties.
We are committed to high compliance
We provide all the necessary certificates and information to reassure you and your stakeholders. Find more details in our Trust Center.
ISAE 3000 Type 2
WithSecure™ Cloud Protection for Salesforce has ISAE 3000 Type 2 (international equivalent of SOC2 Type 2) assurance report, ensuring your data is managed securely,
ISO 27001
WithSecure™ is ISO 27001 certified, validating our rigorous data security practices. This prestigious certification confirms our adherence to the highest information standards.
EU GDPR
WithSecure™ helps organizations adhere to General Data Protection Regulation (GDPR) requirements, ensuring the secure handling of European citizens’ personal data.
SecurityScoreCard
WithSecure™ holds the highest cyber security vendor ranking from SecurityScoreCard, which evaluates companies on 10 key security factors, including remediation speed and risk mitigation.
Get a Free Demo
THE #1 SALESFORCE MALWARE PROTECTION SOLUTION
Fill the form and get:
Free 15-day trial – test the product without limitations
Real attack simulation and product demo
Free customized and actionable risk assessment
